Phishing and Social Engineering
Main Content
Social Engineering - Social Engineering is a fancy term for trickery. Trickery comes in all shapes and sizes. Oftentimes trickery comes in the form of an e-mail that wants you click on something; something like an attachment or a link. The attachment or link typically SEEMS to be harmless, but contains programming code that exploits vulnerabilities in your computer's operating system or a third party applications.
How do you know when an e-mail is legitimate and when it's social engineering? There are several questions that you can ask yourself that should lead you to an appropriate answer to this question.
- Does the e-mail have sentences that are nonsensical? If so, don't trust it
- Does the e-mail ask you for private or sensitive information? If so, don't trust it
- Does the e-mail make promises that are too good to be true? If so, don't trust it
- Does the e-mail attempt to evoke an emotional response? If so, don't trust it
- Do you know who the e-mail is from? If so, AND one of the above apply, don't trust it
- Do you know who the e-mail is from? If not, don't trust it
Tip - Can you verify the validity of the claim(s) made in the e-mail? For example, if your bank is asking you to change your password, can you call your bank to verify? If so, definitely verify first.
Tip - Businesses, financial institutions, universities, etc. typically won't send you an e-mail stating that you need to change or password or submit sensitive information (i.e. your checking account number). They may send you and e-mail stating there is a problem and that you need to call their office. Be sure you are calling their office and not some other number.
Tip - Google it or ask your local computer geek! If the e-mail seems suspicious or too good to be true; enter the subject line or the wording in the body of the e-mail into the Google search engine. The results will often tell the real story. If you're not sure, ask somebody for input. There's typically a computer expert in every workplace; ask them for help.
Read here for how an SIU student was tricked into sending money overseas.
Phishing - Phishing is defined as "the activity of defrauding an online account holder of financial information by posing as a legitimate company". The most common form of phishing is website look-a-likes. These websites are designed to look exactly like another, in an attempt to get you to enter your login or personal information. These websites often have very similar domains as the original site. For example, your friend sends you a link on facebook, and that page takes you to a website that looks just like facebook, but asks you to login again.
Verify that the website you are at is the original. Use HTTPS:// when possible.
Use Google to check suspicious links you get sent in chat messages or emails.
Never enter your login unless you are 100% sure what you are logging into.