Carnegie Mellon University
Computing Services  ›  Information Security Office  ›  Training and Awareness  ›  National Cyber Security Awareness Month  ›  Navigating the Phishy Social Engineering Ocean

2019 NCSAM: Secure IT.

Navigating the Phishy Social Engineering Ocean

By By Cheryl Conley

Whether we like it or not, we all have a digital footprint. Information about both our professional and personal lives are exposed, floating around the vast cyber ocean. Even if you prefer snail mail, telephone conversations, and writing checks, we’re all at risk for falling victim to social engineering attacks.

The piranhas in the ocean (the adversaries) try their best to trick us into sharing confidential, personal information. And their most common attack vector is via social engineering. This trickery can occur through email, phone, face-to-face, or the stormy, wicked web. It makes social engineering a major factor in cyber security awareness and protecting our digital footprint.

The statistics associated with social engineering are staggering. Accenture Security reports that 85% of organizations now experience some degree of phishing and social engineering attacks, which is an increase of 16% over just one year. We can assume this will certainly continue, as long as humans, people, and our very employees, continue to be the weakest link in overall cybersecurity defense. 

Navigating the Social Engineering 

Cyber attackers and social engineers will modify their tactics, but there are some common signs to help you recognize an attack. Let's look at a cyber criminal's trends and tactics. 

Phishing- Using e-mail to trick you into providing sensitive information, to include a Reply to the original malicious e-mail, clicking on bogus links, or opening attachments and entering data.

Spear Phishing- These are phishing attempts aimed at specific targets, such as research engineers. 

Pretexting- Typically utilized in e-mail, this is a technique where a fake situation is created using publicly available details on the target where the information is used for manipulation or impersonation.

Scareware- As the name implies, a frightful pop-up attempting you to type in confidential, personal, or private information in order to rectify an infected computer issue.

Vishing- Utilizing the telphone in attempt to trick you into providing valuable, most likely confidential information.

Baiting- An attempt to hook you in by offering goods, such as a free device or gift card. 

Additionally, according to the 2018 Data Breach Investigations Report, phishing and pretexting represetn 98% of social incidents, and 93% of breaches. Coming in at 96%, e-mail continues to be the most common vector.

While their tactics may seem difficult to spot on the surface, here are some common ways to spot and thwart social engineering attempts while navigating the social engineering ocean. They include:

  • Request or appeal for sensitive, personal informatoin, such as SSN, user IDs, passwords, or banking information.
  • Sending correspondence that comes with a sense of urgency - you may be missing out on a deal, service, or network access, or even loss of funds.
  • Open communication from a perceived authority, perhaps your bank or utility company.

Remember that social engineers exploit or willingness to provide information and are good at creating a trust relationship. Being able to recognize social engineering attempts is key, especially if that attempt includes the mother lode of social engineering: the phish.

The Social Engineering Mother Lode

Phishing remains the number one social engieering strategy, the buried treasure for the bad guys. Countless phishing email messages are sent to unsuspecting targets every day. While many of these messages are so bizarre that they're obviously fraudulent, others might be more convincing. 

No one wants to believe they'd fall for any type of scam, obvious or not, but for as long as people still open these emails, it only magnifies the fact that phishing, when utilized as a social engineering tactic - is the perfect mechanism. 

Additionally, the CISA (Cybersecurity and Infrastructure Security Agency) is now aware of an email phishing scam that attempts to trick the DHS (Department of Homeland Security). The phishing emails use a spoofed e-mail address that appears to look like a National Cyber Awareness System alert, luring targets to download malware by clicking on an attachment. 

So how do we guard against these phishing attacks? Unfortunately, there is no one key tactic or process, but a host of things you can look for. 

The table below lists ways to help us identify the dangerous phish:

DO...

DO NOT...
Keep your anti-virus software up to date. Succumb to e-mails if the branding looks real or appears to be from someone you know.
Use different passwords for each of your accounts, and immediately change the password if you suspect a breach. Consider using a passphrase or implementing multi-factor authentication for added protection. Click or call listed phone numbers that are included in pop-up ads.
Check the FROM address, be wary of perceived reputable companies with GMAIL or foreign domains. Click on any links or attachments unless you're sure it's from a trusted source.
Mouse over links to see the real destination. Give out personal or private information.
Forward phishing e-mails to the FTC, or your companies information security office. Forward phishing e-mails to other people and replying to phishing e-mails.

Still a Bit Lost at Sea? Additional Phishing Tips.

Here are some additional phishing and social engineering tips to help you raise the red buoy when dealing with e-mail:

  • Look out for mismatchd URLs- hover your mouse over the URL and compare the address.
  • Poor grammar and spelling could be an indicator that it is a phish.
  • A request for personal infroatmion, or worse, asking for money, especially with urgency, can be a phish.
  • An offer that appears too good to be true probably is.
  • Unrealistic or unlikely threats could be a phish.
  • Content just doesn't look right- trust your gut.

Remember that in addition to phishing emails appearing to come from organizations of authority such as your bank, these attempts may also appear to come from different, diverse types of organizations, and often take advantage of current events and specific times of the year,
such as:

  • Natural disasters or significant weather issues
  • Global health scares, even flu season
  • Major political elections
  • Holidays and celebrating events, such as international athletic events