Just after lunch one day, you receive this email:
“Can you send me the password for our network? I just can’t seem to remember it right now. Thanks.”
At first, this seems a bit weird to you. No one in your office asks for passwords over email. But you also remember that some of your colleagues from another office are visiting for the next couple of days, so now this seems somewhat plausible.
But then you notice a few other things once you start looking at the email closely.
The sender is a name you don’t recognize. The domain is @ACBCompany.com, not @ABCCompany.com. And the sender’s email signature is slightly different too; the phone number isn’t hyperlinked and “Street” is abbreviated “St” in the company’s address, not spelled as it would be anywhere else.
What is Social Engineering?
Once you picked up on those details in the email, you decided not to respond. And it’s good that you didn’t.
The person behind that email wasn’t an unfamiliar colleague, but a hopeful hacker. The hacker tried to phish you, or trick you into giving up sensitive information by creating a false sense of authority or trust (this was a case of spear phishing specifically).
Phishing has become one of the biggest threats to organizations over the course of the last couple years. In fact, phishing attempts were up 65% in 2017. And while phishers have traditionally targeted consumers, they’re turning increasingly more to employees and organizations for targets.
As cyber crime becomes more and more prevalent, and phishing activity increases, everyone will need to be on the lookout for suspicious activity in their inboxes.
Luckily, your company was aware of this threat. Just a few weeks prior, you and your colleagues were asked to complete security awareness training. Without that, you or a coworker might have played right into the hacker’s trick.
Why would a hacker approach their objective this way?
It’s easy to assume they would use their skills and knowledge to reach their objective by technical means.
But, honestly, phishing (and social engineering in general) is the easiest and simplest way to hack.
Why should a cyber criminal spend hours writing a script that will most likely fail when creating an email address and sending a 2-sentence email takes much less effort and is more successful?
Unfortunately, people are a lot easier to fool than firewalls. Technology is always changing, and people continue to innovate and improve cyber security technology. But most hackers understand how to tug on another person’s emotions. By making a person panic, instilling trust in them, or manufacturing a sense of urgency, hackers can get a lot farther than their code would allow at these stages.
Recognizing Phishing (And Other Social Engineering Tactics)
Phishing and social engineering prevention isn’t a technical game. It’s much easier to combat social engineering with education, just as ABC Company did.
The security team at ABC Company was fully aware of these kind of cyberattacks and just how commonplace they’ve become. They crafted a security awareness training program to get ahead. And it appears it was well worth the effort.
A training program, similar to the one at our hypothetical company, would ideally make a handful of points to encourage informed behavior. Among those would be how to recognize a malicious email.
Fortunately, there are some things hackers just simply can’t get around. What signs can someone look for when they receive a suspicious email?
Signs of Phishing
1. The sender is unfamiliar
If you don’t recognize the sender of an email, it’s signal to be on alert. At smaller organizations, it’s easier to spot when a hacker is posing as someone else or faking a persona. At larger organizations, it can be more difficult. If a hacker does use a familiar name, however, you can look for other signs.
2. It’s an incorrect email address
The email address can be another sign of a phishing attempt. Cyber criminals won’t have access to an email with your organization’s domain, but they can create one very similar.
Our fictional hacker used @ACBCompany.com as a disguise. It’s apparent that this address is wrong. But when you’re in a rush or not paying close attention, you might miss this small detail and think the email is legitimate.
3. The request is against policy or out-of-place
The hacker from earlier requested the password to the network, which helped tell you something was off. Hackers won’t know your company’s policies and practices, or they simply won’t care about them. They might push a feeling of urgency too, hoping the recipient panickedly foregoes existing policies to quickly resolve the fake issue.
4. Questionable downloads and attachments
Admittedly, this is one of the more clever methods a hacker can use to get the information they want.
Hackers can pack malicious code into innocuous-looking attachments. This includes documents and other types of downloadable files. These attachments will look well-intentioned within the email, but once they’ve been introduced to a computer’s system, they will perform whatever actions the hacker coded for.
These kind of attacks can cause a lot of harm, and it’s something the world has already seen played out. In December 2015, hackers partially paralyzed the Ukrainian power grid this way. They spear phished specific individuals and convinced them to download the attached documents. When employees did, the malicious code gave the hackers access to everything they needed.
Preventing Social Engineering and Phishing
Again, social engineering isn’t a problem technology alone can tackle (at least currently).
The best way to counter these hackers is with a few strong and careful habits.
Always use caution. If an email shows any of the signs we’ve listed, take some extras steps and make sure you’re safe.
If the email is from a name you recognize, communicate with that person through another channel and confirm with them. Take a look at their email address as well to see if it matches your company’s domain.
Question the request, and ask yourself why this person might need this information. See where a link will send you before clicking it. Don’t immediately download attachments. And if the email is suspicious in any way, don’t download the attachments at all.
If you ever have a question, contact the head of security at your organization and ask for their advice.
Symantec’s Internet Security Threat Report (ISTR) Vol. 23, published in March 2018, found a user received, on average, 16 malicious emails per month in 2017. That’s 192 attempts per year per user. The team at Barkly found that for a 20 person organization, it comes to 320 attempts a month and 3,840 attempts a year.
Hackers rely on social engineering now, sending tons emails on a daily basis. By providing employees with regular training, you help them be aware of what an attempt looks like. Updating the course as trends change is important as well.
Your employees are the last line between your organization and malicious actors. Give them all the tools they need to be resilient.