Social Engineering Tool Kit

How to recognize phishing email messages, links, or phone calls

Social Engineering attacks are cyber-attacks that are targeted at employees to give away confidential business information via email, phone-calls, text, and letters.

  • 91% of cyber attacks usually start with a phishing attack. -Phishme
  • 95% of phishing attacks that lead to a breach were followed by an installation of malware. -Verizon 
  • 66% of malware was installed via infected email attachments. -Verizon 

This course is meant to prepare and train your employees against common phishing attacks. At the end you will have to take a 5-minute quiz to help assess you and your employee’s ability to identify phishing attacks. Knowing how to guard against phishing attacks will make sure you keep your data safe against phishing attacks.

How to identify Phishing Tactics

Phishing is a fraudulent practice of obtaining sensitive information like username, passwords, credit card information and bank by using social engineering tactics such as Emails, phone calls or malicious software.  Besides attackers also use phishing tactics to access the computer network to install malware or viruses like ransomware or trojan that lock the essential files on the computer. 90% of the the data breaches are caused by phishing attacks.

Identifying Phishing Tactics:

  • “Phishing” (or fraudulent) emails look like they’re from a trusted source and often contain links to a phony login page on a fake website.
  • The subject lines may be threatening or may promise some amazing benefit.
  • Usually the text in the phishing emails have many spelling errors and use bad grammar. Besides that most of the email starts with “Dear Customer.” salutation.[1]
  • In most of the cases, email address doesn’t match the official organization email address. Always verify, that of the email address claims to be from a government agency or an organization website, it should end with .gov or .org.
  • Phishing scammers persuade their targets into a false sense of security by using the, trusted logos of established, legitimate companies. Or by pretending to be a known person.[2]
  • Phishing scammers pretends that personal information is required urgently – otherwise there will be terrible consequences. For example, they’ll write that you have won money or your online bank account has been compromised and it needs to be fixed immediately or even that one of your close family member is hurt.
  • The content is written poorly. There are apparent grammar errors and the awkward sentence structure like perhaps it was written by a computer program or someone whose second language is English.

[1] https://www.healthcare.gov/blog/protect-against-email-phishing-scams/

[2] https://www.consumer.ftc.gov/articles/0003-phishing

Sample Phishing Emails

 

 

 

 

Tips and Advice

Steps to take to avoid Phishing attack:

  • If you think you have encounter a phishing email.  Do not download any attachments or click on links.
    • Instead call the business and ask them for verification. (do not call the phone number given in phishing scam)
  • If an email has a link make sure to always “hover over” to check for validity.
  • Pay attention to the sudden visits and non-requested email messages or phone calls from unknown people that try to seek information about employees or the information about the business. Verify the background of the employee who is seeking the information.[1]
  • Always refrain from disclosing classified information about business or yourself if you are not sure of the authorization of the source asking the information.
  • Take a backup of essential files on some external source like external Hard disk or cloud to protect it from virus attack or malware attack.
  • Do not reveal personal or financial information in email and do not respond to email solicitations for this information. This includes following links sent in email.
  • Only use trusted software for the security. Make sure it is updated regularly.
  • Refrain from sending important information over an unsecured network.
  • Always pay attention to the URL of the websites. Cyber Attackers use websites that are identical to the genuine official websites but with the variation in the URL. [2]
  • To verify the authenticity of the email, Contact the company mentioned in the email directly. Do not use contact information provided on a website connected to the request. You can always gather information about the known phishing attacks from the online forums such as Anti-phishing group.
  • Always have anti-virus software, Malwares and firewalls installed on your systems to safeguard from phishing attacks.

[1] http://sonomacounty.ca.gov/ISD/Security-Newsletter/January-2015/How-do-you-avoid-being-a-victim-/

[2] http://sonomacounty.ca.gov/ISD/Security-Newsletter/January-2015/How-do-you-avoid-being-a-victim-/

What to do if you get a phishing email

If you encounter a phishing email:

  • If you identify a phishing email forward it to spam@uce.gov along with the name of the organization in the email.
  • File a complaint with the Federal Trade Commission at FTC.gov/complaint.
  • In case some classified information is leaked visit identifytheft.gov.
  • In addition, phishing emails can be reported to reportphishing@apwg.org. This is an Anti-Phishing Working Group.[1]

[1] https://www.consumer.ftc.gov/articles/0003-phishing

What do phishing scams look like?

Phishing Quiz

We have prepared a short, 5 minuted quiz to help assess you and your employee’s ability to protect your business against cyber threats. Knowing how to guard yourself against such attacks will not only save you time, it will make sure you keep your personal records and information safe.

More Toolkits

Identifying Toolkit

Protection Toolkit

Responding Toolkit

Phishing Toolkit