Social engineering is the art of manipulating, influencing, or deceiving you in order to gain control over your computer system. The perpetrator might use the phone, email, the post, direct contact or a combination thereof to gain illegal access to your information.
Educating your employees is the key. Even if you have the right technical solutions in place, nothing is ever fool-proof or immune to human error. But training your staff to identify a malicious email can prevent them from taking action that harms your network.
Let’s examine some of the red flags of a potential social engineering email attack.
Things to look out for in the email sender field
- If you do not recognise the sender’s email address as someone you ordinarily communicate with, but their email suggests otherwise, it might be a red flag for malicious attack.
- The email is from someone outside your organisation and not related to your job or responsibilities.
- If an email is sent from inside your organisation or from a customer, vendor or partner and is very unusual or out of character. An attacker may try to appear as an existing contact so that you are more likely to open their email. Sometimes the sender name might be be correct but the domain can appear spoofed.
- An example would be ‘[email protected]’ versus ‘[email protected]’, which at a glance looks almost identical but the ‘i’ is actually an ‘L’.
Things to look out for in the subject line
- Did you get an email with a subject line that is irrelevant or does not match the message content?
- Is the email message a reply to something you never sent or requested? A classic example is the support scam, and appears in many varieties. It’s commonly used by cybercriminals impersonating Netflix or Apple, and asks users to update their payment details or risk their account being suspended.
Things to look out for in the email content
- One of the most classic giveaways is when the content of the email has bad grammar or spelling errors, indicating it was translated with an online translation service.
- Is the sender asking you to click on a link or open an attachment?
- Is the attached file the correct extension? If you expect to receive a PDF and the attached file is an .exe or .zip file, it should be seen as a big red flag and indicates the attachment is hiding a malicious intent.
Here’s a quick rundown of the most common file extensions:
|Office Word||.doc or .docx|
|Office Excel Spreadsheet||.xlsx|
|Office PowerPoint||.ppt or .pptx|
|Compressed file||.zip or .rar|
- Is the sender asking you to click a link that seems odd or illogical? In some cases they might urge you to ‘take action immediately’ to invoke a sense of urgency or importance. If a link asks you to sign in, be sure to double check the URL and ensure you’ve been directed to the right location.
- Likewise you should be wary of malicious URLs containing letters that can look like others in an attempt to trick you to believe it’s the correct URL. An example of this is ‘rn’ that can come off as ‘m’ or ‘vv’ imposing a ‘w’. A safe step is to always navigate to the login page by doing it yourself.
- If a hyperlink is masked as ‘click here’ or ‘log in page’ it means they could direct you to a different URL to what you would expect and steal your information if you were to type it into the fraud website. If you are suspicious of a hyperlink, hover your mouse over the masked text and the URL will appear in the bottom right corner of your browser window.
What to do if you get scammed?
If you have entered your password into any website that you believe to be an attempt at social engineering fraud, you should promptly change your password. It may be convenient to use the same password for multiple services, however doing so means that a potential hacker needs to only need to get hold of one password to access all of your accounts.
If you’re looking to stay even safer, a lot of services allow for two step verification making it near impossible for hackers to get into your account.
If you’ve entered your bank or card details into any website that you believe is an attempt at social engineering fraud, contact your bank or card issuer and explain the situation.
Often people choose not to report the fraud because they’re embarrassed about falling for a scam. Some people believe that online fraud is not as serious as other crimes. This is not the case, and it should be taken just as seriously.
The UK’s national fraud reporting centre, Action Fraud, suggests that you always report fraud and cyber crimes. It ensures the correct crime reporting procedures are followed, and can prevent others from going through the same experience.
You can report a cyber crime at https://www.actionfraud.police.uk/report_fraud
Remember, always think before you click!
Our Quick Guide to Cyber Security has more helpful information like this. For practical tips you can apply to your business right away, grab your copy.