Threat actors are always thinking of new ways to target individuals and businesses, trying to acquire personal information, login credentials, or other sensitive information. One of the most common trends today is social engineering. Social engineering is pretending to be someone else to fool a person into revealing sensitive information, passwords, or other information that compromises a target system’s security. Do not become a victim of social engineering by unwittingly giving out information to an unknown person. A skilled social engineer will convince you that a). they are someone they are not and b). there is no harm in giving them the information they are requesting.

Always remember, that social engineering can happen through multiple sources such as email, text messages, and telephone calls. Take these steps to help ensure that you don’t become a victim: Authenticate, Authorize, Call Back, Don’t Be Pressures, Be Alert, Be Polite but Firm, and Report. With the rising amount of ransomware attacks and phishing messages, cyber security has never been more important than it is today.

Learn How to Protect Yourself Against the Treat of Social Engineering


Play Button

Click here to learn more, and sign up for a Cyber Risk Assessment.

User Managed Information

Phishing

Phishing is a type of spam used by identity and data thieves attempting to fool you by appearing to be from an established firm, service, or brand name. A phishing email might even appear to be a proper company or consumer sites; always check the address for any suspicious changes or “misspellings” which might not be obvious at a quick glance. If you don’t trust it, don’t open it! Treat incoming email cautiously and be careful about which emails you open.

Avoid Phishing

  • Be wary of deceptive e-mails that appear to be from legitimate sources, especially those who ask you for your password or other sensitive information.
  • Do not open these e-mails, nor click on suspicious links, or attachments. Instead, add them to your blocked message list and delete them immediately.
  • Limit your exposure.
  • Think before you click.

Phishing Works

Phishing attacks may appear to come from other types of organizations, such as charities. Attackers often take advantage of current events, money concerns, or certain times of the year, for example:

  • Natural disasters (e.g., Hurricane Harvey, Indonesian tsunami) Epidemics and health scares (e.g., COVID-19, H1N1)
  • Economic concerns (e.g., IRS scams)
  • Major political elections
  • Holidays
  • Money winnings (e.g., Get rich quick schemes)
  • Job-related benefits such as pay retirement information, pay increases, or bonuses
  • Anything that can elicit an emotional response

Social Engineering Tactics

Social Engineering Tactics

Phishing Examples

Tech Support Scams

Over the past few years, online service providers have been stepping up their security game by messaging customers when they detect unusual or worrisome activity on their users’ accounts. Not surprisingly, the bad guys are using this to their advantage. Many are designed poorly with bad grammar, etc. but others look legitimate enough for someone to click if they weren’t paying close attention and also create a sense of urgency by saying sensitive information has been compromised like credit cards or social security numbers.. Hovering over the links would be enough to stop you from ending up on a credentials stealing web site. Consider this fake PayPal security notice warning of potential “unusual log in activity” on their accounts.

Infected Attachments

Malicious .HTML attachments aren’t seen as often as .JS or .DOC file attachments, but they are desirable for a couple of reasons. First, there is a low chance of antivirus detection since .HTML files are not commonly associated with email-borne attacks. Second, .HTML attachments are commonly used by banks and other financial institutions, so people are used to seeing them in their inboxes.

Macros with Payloads

Malicious macros in phishing emails have become an increasingly common way of delivering ransomware in the recent past. These documents too often get past anti-virus programs with no problem. The phishing emails contain a sense of urgency for the recipient and as you can see in the screenshot on this page, the documents steps users through the process. If users fail to enable the macros, the attack is unsuccessful.

 

Social Media Exploits

Facebook

Several Facebook users received messages in their Messenger accounts from other users already familiar to them. The message consisted of a single .SVG (Scalable Vector Graphic) image file which, notably, bypassed Facebook’s file extensions filter. Users who clicked the file to open it were redirected to a spoofed YouTube page that prompted users to install two Chrome extensions allegedly needed to view the (non-existent) video on the page. For most users, the two Chrome extensions were used to allow the malware a limited degree of self-propagation by exploiting the “browser’s access to your Facebook account in order to secretly message all your Facebook friends with the same SVG image file.“ On some users’ PCs the embedded JavaScript also downloaded and launched Nemucod [PDF], a trojan downloader with a long history of pulling down a wide variety of malicious payloads on compromised PCs. Users unlucky enough to encounter this version of the malicious script saw their PCs being taken hostage by Locky ransomware.

LinkedIn Phishing Attacks

Another similar phish was delivered to an email account outside of LinkedIn.
Similar to the previous Facebook phishing attack an email account outside of LinkedIn.
This email was delivered through LinkedIn, as did the URLs used for several links included in the footer of this email (“Reply,” “Not interested,” “View Wells’s LinkedIn profile”)
Those URLs were obviously auto-generated by LinkedIn itself. Then the malicious actors used LinkedIn’s messaging features to generate this phish. From there it hit the external email account of the recipient (as opposed to his InMail box).

 

CEO Fraud Scams

Here’s an example of a KnowBe4 customer being a target for CEO fraud. The employee initially responded, then remembered her training and instead reported the email using the Phish Alert Button, alerting her IT department to the fraud attempt.
When the employee failed to proceed with the wire transfer, she received another email from the bad guys, who probably thought it was payday.

Phishing Indicators Example

Phishing emails are becoming more sophisticated and difficult to distinguish from legitimate emails. By impersonating a reputable company’s communications (with pretexting attacks), these emails tend to use clever and compelling language, such as an urgent need for you to update your information or communicate with you for your security. To spot a phishing email, look for a combination of red flags. In this example, notice:

1. Non-Wells Fargo email address: The email address of the sender does not include the wellsfargo.com domain name, instead using something like “comcast.net”: WellsOnlineBank2@comcast.net.

2. Urgent call to action: The email includes an urgent request in the subject line and message copy, such as “for your protection and for security reasons.” Phishing emails may also contain extra spacing or unusual punctuation in addition to other red flags.

3. Suspicious URL: The email contains a link to a non-Wells Fargo URL, which could be a fraudulent website. If you’re using a laptop or desktop computer, you can check a link’s URL by hovering over it with your cursor, and the URL will show in your browser window.

 

 

 

 

 

 

Example of Phishing Email

Smishing

How to recognize smishing.

Smishing attacks (SMS Phishing) use similar techniques as phishing emails: a sense of urgency to secure your account or verify your identity, using words like “locked,” “deactivated”, or“ for your protection” to describe your account status. These smishing attacks may prompt you to call a phone number, click on a link, or respond directly with personal or account information. To spot a smishing text, look for a combination of red flags. In this example, notice:

1.Suspicious sender: The text was sent by an unknown phone number, instead of one of Wells Fargo’s official short codes: 93557, 93733, 93729, or 54687.

2. Unusual text treatments: The text message contains a combination of unusual text treatments, including all caps, arrows, ID numbers, and an exclamation point.

3. Unprompted identity request: The request to verify the recipient’s identity was unprompted. Wells Fargo will request to verify your identity via access code only when prompted by an action that you have initiated, such as signing on to online banking or sending money.

 

 

 

Smishing Example

Vishing

Vishing attack (voice or VoIP phishing) is an electronic fraud tactic in which individuals are tricked into revealing critical financial or personal information to unauthorized entities.

Tips to remember:

  • If a purported business calls you and ask for personal information, be cautious.
  • Remember, most banking institutions, IRS, etc. will not call you and arbitrarily ask you for all of your personal details.
  • Don’t always trust your caller ID, scammers can use software to have a legitimate business name show up when they call.
  • Never say “yes” or confirm your identity until you fully understand the legitimacy of the caller.

How Can You Prevent Phishing?

 

PHISHING EMAILS — 10 TIPS ON HOW TO IDENTIFY AN ATTACK

Tip 1: Investigate the Display Name

Faking the display name of an email is a classic phishing ploy for hackers. A phishing email makes it into your inbox because email authentication defenses won’t block it. This is because, in the example above, “Bank of America” doesn’t own the domain “comcast.net.” Once it has been delivered, the email will appear legitimate because the display name is what’s presented in most user inboxes and mobile phones. Rather than relying on the display name, check the header from email address as well – if it looks like a suspicious email, flag it.

Tip 2: The Header From Email Address

Not only can the display name be fake, but the header from email address (and the domain) can be as well. Keep in mind that just because the sender’s email address looks legitimate (e.g. sendername@yourcompany.com), it may not be. A familiar name in your inbox isn’t always who you think it is!

Tip 3: Review The Salutation

Who is the email addressed to? Is it to a vague “Valued Customer?” Legitimate businesses will often use a personal salutation with your first and last name, so beware if it doesn’t.

Tip 4: Urgent or Threatening Language is Another Tactic

Promoting a sense of urgency or fear is very common in phishing emails. Examples include subject lines that asks you to take action on an “urgent payment request” or claim your “account has been suspended.”

Tip 5: Don’ t Give up Personal or Company Confidential Information

Legitimate businesses will never ask for personal credentials through an email. Hackers will utilize this phishing scam, especially regarding bank and IRS correspondence! Furthermore, most businesses will have policies in place to prevent external communications. So, don’t “reset,” “sign in,” or input username or password through email – it’s a scam.

 

 

 

 

 

 

 

 

Tip 6: Look But Don’t Click

Hackers love to embed malicious links in what looks to be legitimate copies. To expose this fraud, hover your mouse over the link. If the link address looks weird, don’t click on it. If you’re skeptical about the link, send the email directly to your security team.

Tip 7: No Clicking on Attachments Either!

Just like malicious links, hackers embed malicious attachments that contain viruses and malware in their phishing emails. Malware can steal your passwords, damage files on your computer, or spy on you without you ever knowing. Curiosity killed the cat, so don’t open any email attachments you weren’t expecting.

Tip 8: Spelling Mistakes

Legitimate emails usually do not have major spelling mistakes or poor grammar – brands and corporations wouldn’t allow that. Read your emails carefully and if anything seems suspicious, report the email.

Tip 9: The Signature Line

Are you able to contact the company? Does the email provide details about the signer? If not, the email is most likely a phish. Legitimate businesses always provide their contact information. Make sure to check for them!

Tip 10: Be a Skeptic

Hackers are extremely good at what they do. Their expertise includes seemingly valid email addresses, language, and convincing brand logos. So be skeptical when it comes to your email inbox —if an email looks even remotely suspicious, do not open it. Instead, send it to your security team, and remember it is always better to be safe than sorry.

Phish Decision Flowchart

  • It is a good idea to slow down, stop, think, before potentially making a poor judgement when reviewing emails.
  • An example thought process or guide is illustrated in the Phish flowchart to the right.
  • It’s better to be safe than sorry.
Phish Decision Flowchart

Contact Us

Contact Us

We’re happy to answer any questions you may have.

Address & Phone Number

Headquarters – Cybersecurity Nashville, TN
201 Franklin Road
Brentwood, TN 37027

Phone Number: (615) 377-4600

Office Hours: 8am-5pm, Monday-Friday

 

 

 

 

Cybersecurity Charlotte, NC:
3800 Arco Corporate Drive, ​Suite 250
Charlotte, NC 28273
(704) 846-6750

Cybersecurity Knoxville, TN:
2095 Lakeside Centre Way
Knoxville, TN 37922
(865) 691-9000

 

Get LBMC Technology Solutions Alerts Delivered Right to Your Inbox

Subscribe to LBMC Tech by Email

Enter your email address:

Delivered by FeedBurner