Open in app

Sign in

Write

Sign in

Navigating the Phishy Social Engineering Ocean

SANS Security Awareness
SANS Security Awareness
5 min readJul 9, 2019

--

by Cheryl Conley

Whether we like it or not, we all have a digital footprint. Information about both our professional and personal lives are exposed, floating around the vast cyber ocean. Even if you prefer snail mail, telephone conversations, and writing checks, we’re all at risk for falling victim to social engineering attacks.

The piranhas in the ocean (the adversaries) try their best to trick us into sharing confidential, personal information. And their most common attack vector is via social engineering. This trickery can occur through email, phone, face-to-face, or the stormy, wicked web. It makes social engineering a major factor in cyber security awareness and protecting our digital footprint.

The statistics associated with social engineering are staggering. Accenture Security reports that 85% of organizations now experience some degree of phishing and social engineering attacks, which is an increase of 16% over just one year. We can assume this will certainly continue, as long as humans, people, and our very employees, continue to be the weakest link in overall cybersecurity defense.

Navigating the Social Engineering Ocean

Cyber attackers and social engineers will modify their tactics, but there are some common signs to help you recognize an attack. Let’s look at a cyber criminal’s trends and tactics.

Phishing– Using e-mail to trick you into providing sensitive information, to include a Reply to the original malicious e-mail, clicking on bogus links or opening attachments, and entering data.

Spear Phishing– These are phishing attempts aimed at specific targets, such as research engineers.

Pretexting– Typically utilized in email, this is a technique where a fake situation is created using publicly available details on the target where the information is used for manipulation or impersonation.

Scareware– As the name implies, a frightful pop-up attempting you to type in confidential, personal, and private information in order to rectify an infected computer issue.

Vishing– Utilizing the telephone in attempt to trick you into providing valuable, most likely confidential, information.

Baiting– An attempt to hook you in by offering goods, such as a free device or gift card.

Additionally, according to the 2018 Data Breach Investigations Report, phishing and pretexting represent 98% of social incidents, and 93% of breaches. Coming in at 96%, e-mail continues to be the most common vector.

While their tactics may seem difficult to spot on the surface, here are some common ways to spot and thwart social engineering attempts while navigating the social engineering ocean. They include:

  • Request or appeal for sensitive, personal information, such as SSN, user IDs, passwords, or banking information.
  • Send correspondence that comes with a sense of urgency — you may be missing out on a deal, service or network shutoff, or even loss of funds.
  • Open communication from a perceived authority, perhaps your bank or utility company.
  • Remember that social engineers exploit our willingness to provide information, and are good at creating a trust relationship. Being able to recognize social engineering attempts is key, to include the mother lode of social engineering: the phish.

The Social Engineering Mother Lode

Phishing remains the number one social engineering strategy, the buried treasure for the bad guys. Every day, countless phishing email messages are sent to unsuspecting targets. While many of these messages are so bizarre, they’re obviously fraudulent, others might be more convincing.

No one wants to believe they’d fall for any type of scam, obvious or not, however, according to another statistic from Verizon’s 2016 Data Breach Investigations Report, we open 30% of phishing emails! Yes — you read this correctly — 30%! This magnifies the fact that phishing, as a social engineering tactic — is the perfect mechanism.

Additionally, the CISA (Cybersecurity and Infrastructure Security Agency) is now aware of an email phishing scam tricking DHS (Department of Homeland Security) notifications. The phishing emails use a spoofed address that appears to look like a NCAS (National Cyber Awareness System) alert, luring targets to download malware by clicking on an attachment.

So how do we guard against these phishing attacks? Unfortunately, there is no one key tactic or process, but a host of things you can look for. The table below lists ways to help us identify the dangerous phish.

DO…

…Check the FROM address, be wary of perceived reputable companies with GMAIL or foreign domains.

…Mouse over links to see the real destination.

…Keep your anti-virus software up to date.

…Use different passwords for your accounts, and immediately change if you suspect a breach. Consider using a passphrase or implementing multi-factor authentication for added protection.

…Forward phishing emails to the FTC, or your company support team/security office.

DO NOT…

…Click on any links or attachments unless you’re sure it’s from a trusted source.

…Give out personal or private information.

…Succumb to emails if the branding looks real or appears to be from someone you know.

…Click or call listed phone numbers that are included in pop-up ads.

…Forward a phishing email to other people, except to report it. Do not reply to phishing emails.

Still a Bit Lost at Sea? Additional Phishing Tips.

Here are some additional phishing and social engineering tips to help you raise the red buoy when dealing with email:

  • Look out for mismatched URLs — hover your mouse over the URL and compare the address.
  • Poor grammar and spelling could be an indicator that it is a phish.
  • A request for personal information, or worse, asking for money, especially with urgency, can be a phish.
  • An offer that appears too good to be true probably is.
  • Unrealistic or unlikely threats could be a phish.
  • Content just doesn’t look right — trust your gut.

Remember that in addition to phishing emails appearing to come from organizations of authority such as your bank, these attempts may also appear to come from different, diverse types of organizations, and often take advantage of current events and specific times of the year, such as:

  • Natural disasters or significant weather issues
  • Global health scares, even flu season
  • Financial or monetary concerns, like IRS scams
  • Major political elections
  • Holidays and celebrating events, such as international athletic events

Additional Resources

The following resources from the SANS OUCH! Newsletter, which is published monthly, contain additional information on both social engineering and phishing. Always keep in mind that people — the human element, and not so much technology, is our first line of defense in recognizing and stopping many of these attacks.

About the Author

Cheryl Conley
Cyber Governance Risk & Compliance Senior Staff, Lockheed Martin (Retired)

Cheryl Conley, recently retired, was a Senior Staff Lead for the Cyber Communications & Employee Engagement team, part of Lockheed Martin’s (LM) Corporate Information Security organization. With 35 years at LM, her focus and passion continue to be on strengthening the cyber-culture through various innovative education and awareness efforts. She is a regular presenter at the SANS Security Awareness Summits, and an editorial board member for the SANS monthly OUCH! Newsletter. Conley received the LM Excellence in Leadership Award for solving complex challenges in cybersecurity and the Catalyst Award Recognition in 2018.

Cybersecurity
Security Awareness
Phishing
Pretexting
Social Engineering

--

--

SANS Security Awareness
SANS Security Awareness

Written by SANS Security Awareness

80 Followers
Editor for

Securing people, training through security awareness.

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams