Threat actors are always thinking of new ways to target individuals and businesses, trying to acquire personal information, login credentials, or other sensitive information. One of the most common trends today is social engineering. Social engineering is pretending to be someone else to fool a person into revealing sensitive information, passwords, or other information that compromises a target system’s security. Do not become a victim of social engineering by unwittingly giving out information to an unknown person. A skilled social engineer will convince you that a). they are someone they are not and b). there is no harm in giving them the information they are requesting.
Always remember, that social engineering can happen through multiple sources such as email, text messages, and telephone calls. Take these steps to help ensure that you don’t become a victim: Authenticate, Authorize, Call Back, Don’t Be Pressures, Be Alert, Be Polite but Firm, and Report.
User Managed Information
Phishing is a type of spam used by identity and data thieves attempting to fool you by appearing to be from an established firm, service, or brand name. A phishing email might even appear to be a proper company or consumer sites; always check the address for any suspicious changes or “misspellings” which might not be obvious at a quick glance. If you don’t trust it, don’t open it! Treat incoming email cautiously and be careful about which emails you open.
- Be wary of deceptive e-mails that appear to be from legitimate sources, especially those who ask you for your password or other sensitive information.
- Do not open these e-mails, nor click on suspicious links, or attachments. Instead, add them to your blocked message list and delete them immediately.
- Limit your exposure.
- Think before you click.
Phishing attacks may appear to come from other types of organizations, such as charities. Attackers often take advantage of current events, money concerns, or certain times of the year, for example:
- Natural disasters (e.g., Hurricane Harvey, Indonesian tsunami) Epidemics and health scares (e.g., COVID-19, H1N1)
- Economic concerns (e.g., IRS scams)
- Major political elections
- Money winnings (e.g., Get rich quick schemes)
- Job-related benefits such as pay retirement information, pay increases, or bonuses
- Anything that can elicit an emotional response
Tech Support Scams
Over the past few years, online service providers have been stepping up their security game by messaging customers when they detect unusual or worrisome activity on their users’ accounts. Not surprisingly, the bad guys are using this to their advantage. Many are designed poorly with bad grammar, etc. but others look legitimate enough for someone to click if they weren’t paying close attention and also create a sense of urgency by saying sensitive information has been compromised like credit cards or social security numbers.. Hovering over the links would be enough to stop you from ending up on a credentials stealing web site. Consider this fake PayPal security notice warning of potential “unusual log in activity” on their accounts.
Malicious .HTML attachments aren’t seen as often as .JS or .DOC file attachments, but they are desirable for a couple of reasons. First, there is a low chance of antivirus detection since .HTML files are not commonly associated with email-borne attacks. Second, .HTML attachments are commonly used by banks and other financial institutions, so people are used to seeing them in their inboxes.
Macros with Payloads
Malicious macros in phishing emails have become an increasingly common way of delivering ransomware in the recent past. These documents too often get past anti-virus programs with no problem. The phishing emails contain a sense of urgency for the recipient and as you can see in the screenshot on this page, the documents steps users through the process. If users fail to enable the macros, the attack is unsuccessful.
Social Media Exploits
LinkedIn Phishing Attacks
Another similar phish was delivered to an email account outside of LinkedIn.
Similar to the previous Facebook phishing attack an email account outside of LinkedIn.
This email was delivered through LinkedIn, as did the URLs used for several links included in the footer of this email (“Reply,” “Not interested,” “View Wells’s LinkedIn profile”)
Those URLs were obviously auto-generated by LinkedIn itself. Then the malicious actors used LinkedIn’s messaging features to generate this phish. From there it hit the external email account of the recipient (as opposed to his InMail box).
CEO Fraud Scams
Here’s an example of a KnowBe4 customer being a target for CEO fraud. The employee initially responded, then remembered her training and instead reported the email using the Phish Alert Button, alerting her IT department to the fraud attempt.
When the employee failed to proceed with the wire transfer, she received another email from the bad guys, who probably thought it was payday.
Phishing Indicators Example
Phishing emails are becoming more sophisticated and difficult to distinguish from legitimate emails. By impersonating a reputable company’s communications, these emails tend to use clever and compelling language, such as an urgent need for you to update your information or communicate with you for your security. To spot a phishing email, look for a combination of red flags. In this example, notice:
1. Non-Wells Fargo email address: The email address of the sender does not include the wellsfargo.com domain name, instead using something like “comcast.net”: WellsOnlineBank2@comcast.net.
2. Urgent call to action: The email includes an urgent request in the subject line and message copy, such as “for your protection and for security reasons.” Phishing emails may also contain extra spacing or unusual punctuation in addition to other red flags.
3. Suspicious URL: The email contains a link to a non-Wells Fargo URL, which could be a fraudulent website. If you’re using a laptop or desktop computer, you can check a link’s URL by hovering over it with your cursor, and the URL will show in your browser window.
How to recognize smishing.
hishing texts use similar techniques as phishing emails: a sense of urgency to secure your account or verify your identity, using words like “locked,” “deactivated”, or“for your protection” to describe your account status. These texts may prompt you to call a phone number, click on a link, or respond directly with personal or account information. To spot a phishing text, look for a combination of red flags. In this example, notice:
1.Suspicious sender: The text was sent by an unknown phone number, instead of one of Wells Fargo’s official short codes: 93557, 93733, 93729, or 54687.
2. Unusual text treatments: The text message contains a combination of unusual text treatments, including all caps, arrows, ID numbers, and an exclamation point.
3. Unprompted identity request: The request to verify the recipient’s identity was unprompted. Wells Fargo will request to verify your identity via access code only when prompted by an action that you have initiated, such as signing on to online banking or sending money.
Vishing (voice or VoIP phishing) is an electronic fraud tactic in which individuals are tricked into revealing critical financial or personal information to unauthorized entities.
Tips to remember:
- If a purported business calls you and ask for personal information, be cautious.
- Remember, most banking institutions, IRS, etc. will not call you and arbitrarily ask you for all of your personal details.
- Never say “yes” or confirm your identity until you fully understand the legitimacy of the caller.
How Can You Prevent Phishing?
PHISHING EMAILS — 10 TIPS ON HOW TO IDENTIFY AN ATTACK
Tip 1: Investigate the Display Name
Faking the display name of an email is a classic phishing ploy for hackers. A phishing email makes it into your inbox because email authentication defenses won’t block it. This is because, in the example above, “Bank of America” doesn’t own the domain “comcast.net.” Once it has been delivered, the email will appear legitimate because the display name is what’s presented in most user inboxes and mobile phones. Rather than relying on the display name, check the header from email address as well – if it looks suspicious, flag it.
Tip 2: The Header From Email Address
Not only can the display name be fake, but the header from email address (and the domain) can be as well. Keep in mind that just because the sender’s email address looks legitimate (e.g. firstname.lastname@example.org), it may not be. A familiar name in your inbox isn’t always who you think it is!
Tip 3: Review The Salutation
Who is the email addressed to? Is it to a vague “Valued Customer?” Legitimate businesses will often use a personal salutation with your first and last name, so beware if it doesn’t.
Tip 4: Urgent or Threatening Language is Another Tactic
Promoting a sense of urgency or fear is very common in phishing emails. Examples include subject lines that asks you to take action on an “urgent payment request” or claim your “account has been suspended.”
Tip 5: Don’ t Give up Personal or Company Confidential Information
Legitimate businesses will never ask for personal credentials through an email. Hackers will utilize this phishing scam, especially regarding bank and IRS correspondence! Furthermore, most businesses will have policies in place to prevent external communications. So, don’t “reset,” “sign in,” or input username or password through email – it’s a scam.
Tip 6: Look But Don’t Click
Hackers love to embed malicious links in what looks to be legitimate copies. To expose this fraud, hover your mouse over the link. If the link address looks weird, don’t click on it. If you’re skeptical about the link, send the email directly to your security team.
Tip 7: No Clicking on Attachments Either!
Just like malicious links, hackers embed malicious attachments that contain viruses and malware in their phishing emails. Malware can steal your passwords, damage files on your computer, or spy on you without you ever knowing. Curiosity killed the cat, so don’t open any email attachments you weren’t expecting.
Tip 8: Spelling Mistakes
Legitimate emails usually do not have major spelling mistakes or poor grammar – brands and corporations wouldn’t allow that. Read your emails carefully and if anything seems suspicious, report the email.
Tip 9: The Signature Line
Are you able to contact the company? Does the email provide details about the signer? If not, the email is most likely a phish. Legitimate businesses always provide their contact information. Make sure to check for them!
Tip 10: Be a Skeptic
Hackers are extremely good at what they do. Their expertise includes seemingly valid email addresses, language, and convincing brand logos. So be skeptical when it comes to your email inbox —if an email looks even remotely suspicious, do not open it. Instead, send it to your security team, and remember it is always better to be safe than sorry.
We’re happy to answer any questions you may have.
Address & Phone Number
Headquarters – Cybersecurity Nashville, TN
201 Franklin Road
Brentwood, TN 37027
Phone Number: (615) 377-4600
Office Hours: 8am-5pm, Monday-Friday
Cybersecurity Charlotte, NC:
3800 Arco Corporate Drive, Suite 250
Charlotte, NC 28273
Cybersecurity Knoxville, TN:
2095 Lakeside Centre Way
Knoxville, TN 37922