Edited & prepared by Oscar Michel, Masters in Journalism, DCU.
Great guest post from George O’Dowd MD Novi – Technology for Business.
Link to website here.
Cyber criminals are continuously using new methods to defraud, gain access and steal information. One of their modus operandi is ‘social engineering’.
What is Social Engineering?
Social Engineering is the practice of manipulating and defrauding people to give up confidential information. Criminals try to trick people into handing over information such as bank account details, passwords to accounts and/or click on links allowing them gain access to their computer to install malware. Social Engineering works because it is easier to fool people than hack into their computer.
Security is all about trust. People by nature trust others they know personally and websites or companies that they deem to be a trusted/legitimate source. Criminals exploit this inherent trust. They might email, call or ask you to download something from a website under the pretence of coming from a legitimate source i.e. someone or some company that you inherently trust.
Using lots of sources on the internet including social media accounts criminals can build profiles of individuals. They can find out where they work, what position they are in, recent company deals, where they last went on holiday and when, how many kids they have and lots more. Using all this information criminals can pretend to be someone they are not by showing that they know lots of personal details about you. They can hack into company email accounts and send emails that appear to be legitimate. For example, you may receive an email that appears to come from management asking that money be transferred, requesting passwords, requesting bank account details be changed and maybe requesting information relating to customers.
So how do you recognise a phishing email?
When you receive an email from a colleague or supplier that appears suspicious you should treat it as such
1. Don’t trust the display name. Check if the source is from the correct email address. See example number 1 below. The email appears to come from ‘Fidelity’ but the associated email address does not use a fidelity domaim e.g. fidelity.com
2. Watch out for urgent language in subject lines which are designed to make a person act before they’ve given time to consider is the email legitimate.
3. Beware of broad, impersonalised salutations Dear Customer, Dear Contact etc… Legitimate companies requesting private and sensitive information would not do so over blanket emails.
4. Hover over web links even if they appear correct – Don’t click on any links in a suspicious email but if you hover over the link it shows the real address. See example below, the link revealed does not resemble the company’s web address.
5. Legitimate emails will be properly branded. Be alarmed if you see variants in the company name or logo.
6. Watch for misspelt words or poor grammar – Cybercriminals are not known for their good grammar. Often cyber attacks originate in countries where English is not the first language so watch for unusual phrasing and incorrect spelling.
What to do if you receive a phishing email
If you receive an email that in your opinion looks suspicious in any of the above ways. Trust your judgement do not click on a link or do not reply to the email. A reply just confirms to the criminal that you’re email address is correct. If you receive an email from a colleague that looks suspicious call the person using a KNOWN phone number (not the one in the email) to verify their requests especially for bank account changes and money transfers.
Talk to your IT department or IT Services provider. With the frequency of phishing emails constantly on the rise your IT provider must ensure that you have a spam filtering solution in place to help minimise and reduce the chances of phishing emails getting through to your inbox.
Adopt a 2-step Approach
1. Put security systems in place to catch as many phishing emails as possible
2. Educate your employees on the signs to watch out for as some will inevitably get through!