In Security Jargon, Social Engineering is the act of using Non-Technical aspects for obtaining confidential information. The attacker don’t need to have contact with the victim in person. These kind of attacks are called as social engineering attacks. Here the intended victim is tricked to do something needed by the attacker. A common example is phishing. It is a kind of social engineering attack. If you are still confused with this term, I can explain this with another example. Consider this, X wants to break into a computer network using social engineering trick. He will try to gain the attention of Y who has access to authorize the network in order to get the required information for breaking the network’s security. This is known as social engineering attack.
MUST READ : Beware Of Phishers – A Brief Review
How to avoid being a victim of Social Engineering Attacks?
- Never provide your personal information or information about your company/organization unless you are certain of the person’s identity and authority to have that information.
- Never reveal personal and financial information in email and do not respond to email solicitations for this information. This includes the links sent in email.
- If you are not sure whether an email you got is legitimate or not, then try to verify it by contacting the company/organization directly indeed. Do not use the contact information provided in that email instead use the one from your previous emails.
- Always check the URL of a web site. Phishing web sites may look identical and genuine to a legitimate site, but the URL may slightly differ like misplaced words and letter. Also check the domain name extensions (Like .com or .org).
- Never send sensitive and worthy information over the Internet before checking the security of a website.
- Always be aware of unsolicited phone calls, visits and emails from individuals asking about your employees or other such information. Better try to verify his or her identity directly with the company.
If you are victim of this…..
- If you revealed sensitive information about yourself and your organization, report it to the concerned people within the organization.
- If your financial accounts may be compromised then contact your financial institution immediately and close the accounts that may have been compromised.
Don’t give any sensitive information to anyone unless you are sure about the person’s identity and that they should have access to the information. Choose not to be a victim.
According to Wikipedia, Phishing is the criminally fraudulent process of attempting to acquire sensitive information such as usernames, passwords and credit card details by masquerading as a trustworthy entity in an electronic communication.
Something Phishy I Guess? Below I mentioned some common signs of phishing. Even though phishers are skilled in one way, they are unfortunately bad in several aspects like poor English Grammar! 😀
MUST READ : Beware Of Social Engineering Attacks
What are the Signs of Phishing?
To identify a phishing thing is quite tricky! Phishers are skilled and in the same way they too leave some clues for us. Here are some signs of phishing.
- Requests for personal information. If you get a request for personal information, then first call the company and make sure that request is legitimate or not.
- Sense of Urgency. Phishers mostly attempt to make people to respond without thinking. If a message conveys a sense of urgency like saying that this account will be closed in 2 days if you are not taking immediate action.
- Errors and Mistakes. This is the biggest clue for us indeed. Phishers often make mistakes in their mails, warnings and so on.
- Addressed like Customer. For example if your bank addresses you regularly by name in its correspondence and you get an e-mail addressed to Dear Customer, This may be a work of a phisher!
- Words like Verify your account. A legitimate Business or Organisation will never ask its customers to send passwords, Security numbers or any other personal details through e-mail. So always be suspicious of a mail that asks for personal information no matter how authentic or genuine it looks.
- With links to Access your account. Your mails have may have links to access your account to some websites, since many emails are HTML formatted. But these may be fake links, they can take you to a fake or phony website indeed.
- Use your instincts. If you think an Email is fake or it is a work of phishers, it probably is !
Technical Note : Phishers commonly use this technique. The Uniform Resource Locator (URL) will appear to be an authentic one from well-known company but will be slightly altered by intentionally adding, omitting, or transposing some letters.
Example : For www.godaddy.com
It will be like this,
How to Respond to Phishing?
If you receive an email which is believed to be phishing attempt, no matter why or what, don’t reply to it or click the links on it. Rather report this incident and visit the organisation’s website or use their contact number.
If you are victim of this attempt i.e., you have given your personal details or some worthy information to the phisher, you should report this incident immediately to :
- The company that was spoofed or involved.
- Any bank or institution for which you disclosed your personal details.
- At least for one of the major Credit Reporting Companies.
- Your local police Station and file a complaint.
- The Federal Bureau of Investigation (FBI) through the Internet Crime Complaint Center.