As we continue to see a rise in various kinds of attempts to take advantage of our network, here again is a simple review of some of those ways being used. Bottom line, PLEASE STAY VIGILANT to STAY SAFE!
Social engineering is an attempt to trick an individual into revealing information or taking an action that can be used to attack systems or networks. Social mining is an attempt to gather information about the organization that may be used to support future attacks.
Examples of commonly used types of social engineering:
Phishing is a digital form of social engineering that uses authentic-looking emails to trick users into sharing personal information. It usually includes a link that takes the user to a fake website. If you cannot verify the source, do not open the link. Report suspicious messages to your IT team.
- Spear Phishing is a type of phishing where a specific user or group of users is targeted because of their position (such as a company’s administrators).
- Quishing, short for QR code phishing, is a type of phishing where a QR code is used to trick users into visiting malicious websites or downloading malware.
Social media exploitation is where the attacker uses information found on a user’s social media profiles to create a targeted phishing attack.
Pretexting and Impersonation is where the attacker creates a fictional backstory that is used to manipulate someone into providing private information or to influence behavior. Attackers will often impersonate a person of authority, co-worker, or trusted organization to engage in back-and-forth communication prior to launching a targeted spear phishing attack.
Fake IT Support calls are a common form of impersonation where someone pretends to be an authorized user or administrator in an attempt to gain illicit access to protected data systems. The attacker has enough information to sound credible, and they ask the user for some bit of information that will allow the attacker to gain access to the desired system.
Baiting is the use of a false promise to lure the user into a trap, including enticing ads that lead to malicious sites or encourage users to download a malware-infected application.
Scareware is a type of baiting where the use of false alarms or fictitious threats lure the user into a trap. One example is the attacker convincing a user that their system is infected with malware and that they should install software granting remote access. Another example is the attacker claiming to have sensitive videos which will be released if the user does not pay.- Quid pro quo is a type of baiting where the attacker requests the exchange of some type of sensitive information such as critical data, login credentials, or monetary value in exchange for a service. For example, a user might receive a phone call from an attacker who, posed as a technology expert, offers free IT assistance or technology improvements in exchange for login credentials.
Tailgating, also known as “piggybacking”, is where an unauthorized person manipulates their way into a restricted area, such as impersonating a well-known role (e.g., delivery driver or custodian worker) or asking a user to “hold the door”.
- Thread-jacking is a type of digital tailgating where the attacker replies to an existing email exchange, inserting themselves into a legitimate conversation.
Shoulder surfing is where an unauthorized person stands near a user to get the user’s password or other data from the user’s computer monitor.
-
Angle your computer so that other people cannot see what you are typing
Use a privacy screen to make your screen less visible to others
If possible, sit or stand with your back to a wall when entering a password on a device in public
Try to avoid viewing restricted information in public
Shield forms from viewing when filling out paperwork
Use strong passwords to make it more difficult for someone to guess what you typed
Remember to lock your computer or device when you leave your desk
