Social engineering (in the context of information security) is the use of deception to manipulate individuals into divulging confidential or personal information that may be used for fraudulent purposes. To put that into a perspective that everyone can understand, social engineering is the art of criminal manipulation. Criminals try to manipulate you into giving up sensitive information like passwords, account information or access to your computer to install malicious software. (Alternatively, this software can give criminals access to your accounts, passwords and control of your computer.
Criminals use this tactic because it works. Humans tend to see the good in everyone. It is usually easier to use a person’s natural inclination to trust than it is to discover other ways to hack your software or computers.
Experts agree that the most vulnerable part of any security system is the human operating it. No amount of locks, deadbolts, alarm systems or guard dogs will protect you from that pizza delivery guy you are trusting at face value. If you let him in without first checking to see if he is legitimate, you are exposed to whatever threat he may represent. The Energy Credit Union would show our members more about how to help protect yourself from social engineering risk and notice common red flags that can help you to determine what to look for when dealing with criminals who are potentially attempting to manipulate you through a fraudulent email. Lets look at how scammers can manipulate an email to catch you!
Who is the email from?
- I don’t recognize the sender’s email address as someone I ordinarily communicate with.
- This email is from someone outside my organization and it’s not related to my job responsibilities.
- This email was sent from someone inside the organization or from a customer, vendor, or partner and is very unusual or out of character.
- Is the sender’s email address from a suspicious domain (like micorsoft-support.com)?
- I don’t know the sender personally and they were not vouched for by someone I trust.
- I don’t have a business relationship nor any past communications with the sender.
- This is an unexpected or unusual email with an embedded hyperlink or an attachment from someone I haven’t communicated with recently.
Who is the email to?
- I was cc’d on an email sent to one or more people, but I don’t personally know the other people it was sent to.
- I received an email that was also sent to an unusual mix of people. For instance, it might be sent to a random group of people at my organization whose last names start with the same letter, or a whole list of unrelated addresses.
When was the email sent?
- Did I receive an email that I normally would get during regular business hours, but it was sent at an unusual time like 3 a.m.?
What is the subject of the email?
- Did I get an email with a subject line that is irrelevant or does not match the message content?
- Is the email message a reply to something
Are there any attachments?
- The sender included an email attachment that I was not expecting or that makes no sense in relation to the email message. (This sender doesn’t ordinarily send me this type of attachment.)
- I see an attachment with a possibly dangerous file type. The only file type that is always safe to click on is a .txt file.
Are there any hyperlinks?
- I hover my mouse over a hyperlink that’s displayed in the email message, but the link-to address is for a different website. (This is a big red flag.)
- I received an email that only has long hyperlinks with no further information, and the rest of the email is completely blank.
- I received an email with a hyperlink that is a misspelling of a known web site. For instance, www.bankofarnerica.com — the “m” is really two characters — “r” and “n.”
What is the content of the email?
- Is the sender asking me to click on a link or open an attachment to avoid a negative consequence or to gain something of value?
- Is the email out of the ordinary, or does it have bad grammar or spelling errors?
- Is the sender asking me to click a link or open up an attachment that seems odd or illogical?
- Do I have an uncomfortable gut feeling about the sender’s request to open an attachment or click a link?
- Is the email asking me to look at a compromising or embarrassing picture of myself or someone I know?
Here is a PDF for quick reference. Remember to stay vigilant and safe!