don't be an easy target
The most widespread type of social engineering attack is called phishing. Phishing usually involves sending fake bulk e-mails.
You can no longer say at first glance when you’re reading a fake e-mail. The sender, content, and visual appearance will look trustworthy as if the school, bank, or another institution sent them. What must always catch your attention, however, is a call to action. This can be a request to change your password, software update, service expiration date, or confirmation of accounts and information. The attacker will probably create a story, such as announcing upcoming distraint, an unpaid invoice, or maybe even notification of spreading phishing e-mails. The e-mail can also look like you are the sender, which creates the impression that your account has been stolen. The message will try to convince you to address an (urgent) problem and offer you quick help at the same time, which involves opening an attachment or clicking a URL link. This link will lead you to an authentically looking, but fake website of a particular institution or service. You open the attachment or enter login credentials, and that’s it, they got you. You may notice the consequences immediately, but it often takes weeks.
Save the link for reporting incidents.
It can come in handy not only for reporting phishing e-mails.
How do you recognize phishing?
Head of an IT department, license contract provider, faculty dean, or helpdesk, those are the people the attackers can claim they are. Nevertheless, none of them (including all the providers) will never ask you to send your password. Don’t let the attackers mess with you. After all, you can also sign yourself as a ruler of the universe (which you probably aren't).
“Dear user, data is now attacked, so we take immediate precautions. Change your password until Sunday here www.is-muni.cz/ics/passwordschanging. If you do not, your data may be deleted.Helpdesk MUNI firstname.lastname@example.org
Helpdesk MU email@example.com”
You’ve got an hour, two days, do it now, respond to at least something? Never! You always have enough time to consider the relevance of the demand and possibly check its authenticity. Just contact the corresponding institution or service. The attacker exploits fear or curiosity – the human character.
No matter how complicated the problem presented by the attacker is, the solution always seems to be pretty easy (share data, click a link, log into an app and change something). With the time pressure, it’s a perfect combination.
Errors all over the text
E-mail messages can contain mistakes or errors, including incorrect spelling or weird style. These constitute a warning that you’re not communicating with the actual director or someone important. The visuals will be almost perfect, though.
How not to get tricked?
Don’t rush and check the facts
Never let yourself be rushed into a fast and simple solution. The attacker might give you a time limit, which makes some of the fabulated stories more terrifying. One example: an unpaid order that you know you didn’t sign up for, but there’s a cancellation time limit to confuse you. Take your time and check the authenticity of the request.
Rewrite the URL address
Even if you really think you forgot to pay an invoice or that there’s an actual need for changing your password, never use the URL link from the e-mail. Type the URL manually and perform whatever required action on the official website. Do as you would do without the e-mail call to action.
Don't share private data foolishly
It's quite a bad habit. We commonly request or share private data via e-mail or phone. You can share this information or documents (a contract, a confirmation, personal data for employers, etc.) as a password-protected .zip file. And don’t forget to send the password through another communication channel. For example, send the .zip file by e-mail and send the password through social network – in this case, it’s ok to send the one-time password through an otherwise unsecured channel.
How come they know so much about you?
The more sophisticated kind of phishing is called spear phishing. It’s based on using detailed information about you or your workplace. Where the attacker finds them? Well, how much information do you usually and voluntarily share online, or someone else does it instead of you (like friends or employers)? The more you share, the easier target you are, and therefore, the more aware you have to be. That applies not just for sharing, but also for curiosity (don’t click on every exciting link).
Quiz: can you recognize a phishing e-mail?
Already done? No matter the results, let’s keep in mind that during the test, we’re all more cautious. The main rule stays the same: always be aware.