Don't Take the Bait! Phishing and Other Social Engineering Attacks

Phishing is a form of social engineering in which a threat actor attempts to trick victims into visiting a malicious site and disclosing sensitive information such as account login credentials, financial information, or personally identifiable information (PII), or opening a malicious attachment that installs malware onto their system. Phishing attacks can be conducted through email, social media platforms such as Facebook and Twitter, SMS text messages, or over the phone. The following are common types of phishing attacks and ways to identify them:

• Spear-phishing is conducted by crafting targeted phishing messages personalized to the victim. The perpetrators may use information about the victim to portray themselves as a legitimate entity.
• Whaling is conducted by sending messages appearing to be from trusted sources targeting high-ranking members of an organization, such as business executives or managers, with the goal of convincing them to reveal sensitive information.
• Vishing is conducted by making phone calls or leaving voice messages portraying a trustworthy entity in an attempt to convince the target to take an action. A common example is an attacker disguising himself as an organization’s help desk technician or an external technical support specialist.
• Smishing is a conducted via SMS text messages. Smishing is a security attack in which the user is tricked into downloading malware onto their smart phone or device.
• Business Email Compromise is a form of phishing attack where a cyber-criminal impersonates an executive (often the CEO), and attempts to get an employee, customer, or vendor to transfer funds or sensitive information to the phisher.
• Clone Phishing is a type of phishing attack whereby a legitimate, and previously delivered, email containing an attachment or link has had its content and recipient address(es) taken and used to create an almost identical or cloned email. The attachment or link within the email is replaced with a malicious version and then sent from an email address spoofed to appear to come from the original sender.  

Recommendations

The NJCCIC strongly recommends never clicking on links or opening attachments delivered with unexpected or unsolicited emails, social media messages, or text messages. If you accidentally do click on a suspicious link or visit a phishing website, do not enter any personal information on the site and disconnect your device from the network as soon as possible. Use your antivirus software to run a full scan of your system. If this occurs on a work system, contact your IT helpdesk immediately so that the system or device can be evaluated and quarantined if necessary to prevent the potential spread of a malware infection. If you entered or divulged personal information, monitor your bank accounts, credit profile, and other online accounts for any irregularities or suspicious behavior. If you do business with a company mentioned in a suspicious email, call the business and forward the email to them to verify the legitimacy of the email. In addition, do not reply to spam emails as this only verifies to the sender that your email account is active. Instead, delete the email. Lastly, use up-to-date antivirus software and firewall protection to prevent and block phishing attacks, and enable multi-factor authentication (MFA) for all accounts that offer it to greatly reduce your risk of account compromise via credential theft. For organizations, one of the most effective ways to prevent incidents resulting from phishing attacks is through employee training and awareness.

 

Additional Resources:

• Trustworthy Email publication from the National Institute for Standards and Technology