Overview
Phishing and social engineering attacks are the leading causes of data breaches, targeting employees to gain access to sensitive information or systems. This training will cover:
- What phishing and social engineering attacks are
- Common types of phishing and social engineering tactics
- How to identify and avoid attacks
- Steps to take if you suspect an attack
1. What Are Phishing and Social Engineering?
- Phishing: A tactic used by attackers to trick individuals into revealing sensitive information (e.g., passwords, credit card numbers) or downloading malware. This often involves deceptive emails, messages, or websites.
- Social Engineering: A broader tactic where attackers manipulate people into giving access to confidential information or systems. It can involve in-person tactics, phone calls, or digital methods.
Key Takeaway: Phishing and social engineering rely on exploiting trust and human error.
2. Types of Phishing Attacks
Email Phishing
- Attackers send emails that appear to be from trusted sources (e.g., banks, vendors, managers).
- These emails often contain links or attachments intended to steal login credentials or download malware.
We also have a dedicated training on Reviewing Suspicious Emails we’d highly encourage you to check out!
Spear Phishing
- More targeted than general phishing, spear phishing involves customized emails aimed at specific individuals or departments, often using personal details.
- Example: An email from someone posing as a known colleague or manager requesting sensitive data.
SMS Phishing (Smishing)
- Attackers send text messages claiming to be from legitimate entities (e.g., banks, delivery companies) to trick users into clicking links or responding with information.
Voice Phishing (Vishing)
- Attackers make phone calls, pretending to be trusted organizations (e.g., IT support) and attempt to gain access to information or persuade employees to perform actions.
Fake Websites
- Often part of a phishing attack, these websites look like legitimate sites to trick users into entering sensitive information.
3. Recognizing Phishing and Social Engineering Tactics
Look Out for These Signs:
- Suspicious Senders: If you don’t recognize the sender, proceed with caution. Double-check the sender’s email address.
- Urgent Language: Phrases like “Immediate action required” or “Account suspension” are common red flags designed to create panic.
- Unusual Requests: Requests for sensitive information (e.g., passwords, financial data) should be a red flag. Legitimate organizations rarely request this over email or phone.
- Suspicious Links or Attachments: Hover over links before clicking to verify the URL. Avoid downloading attachments unless you’re expecting them.
- Poor Grammar and Formatting: Phishing emails often have spelling mistakes, odd formatting, or mismatched fonts.
Example: You receive an email from “IT Support” stating your account will be locked if you don’t log in within 24 hours. The email asks you to click on a link to “verify” your credentials. Be cautious—this could be a phishing attempt. We go into much more detail over on our Guide for Reviewing Suspicious Emails!
4. How to Respond to Phishing and Social Engineering Attempts
- Do Not Click or Respond: If you suspect a message is phishing, do not click any links or download attachments.
- Verify the Source: Contact the sender directly using known contact information. For example, if it claims to be from your bank, call them using the official number.
- Report Suspicious Activity: Follow company procedures for reporting phishing emails or suspicious calls. Forward emails to the IT team or report them using your email provider’s “Report Phishing” feature.
- Delete the Message: After reporting, delete any suspicious emails or texts.
5. Social Engineering Scenarios and Tips
Common Scenarios:
- Urgent Phone Call from “IT Support”: The caller claims they need your password to resolve an issue. IT support should never ask for passwords over the phone.
- Stranger in the Office Asking for Access: They might claim they’re a vendor or new hire needing access to restricted areas. Always verify with a supervisor before allowing access.
Tips:
- Ask Questions: Legitimate callers or visitors will have verifiable answers to basic questions.
- Double-Check Identification: Verify identities by calling the organization they claim to represent.
- Trust Your Instincts: If something doesn’t feel right, err on the side of caution and confirm through official channels.
6. Steps to Take if You Suspect an Attack
- Disconnect from Network: If you suspect malware was downloaded, disconnect from Wi-Fi or unplug the Ethernet cable to prevent further spread.
- Alert IT Support Immediately: Report the incident with as much detail as possible.
- Monitor Accounts: If you clicked on a phishing link or provided information, monitor your accounts closely for any unauthorized activity.
- Update Passwords: Change passwords for any accounts that may have been compromised.
7. Quiz and Practice Scenarios
To reinforce the training, include a short quiz or a few scenarios to practice identifying potential phishing or social engineering attacks.
Sample Question: An email from “HR Department” asks you to click on a link to confirm your bank account information for payroll. What do you do?
- A) Click the link and provide your information
- B) Ignore the email completely
- C) Verify the email with the HR department by contacting them directly
Correct Answer: C – but don’t just hit reply! Use an already known and trusted means of contact such as an established email address, phone number, or if you’re local enough, head over to the HR department on knock on their door! If you are being targeted by scammers, hitting reply is a very bad move for reasons we detail in our Guide for Reviewing Suspicious Emails!
Conclusion
Awareness is the first line of defense against phishing and social engineering. By staying alert and following these guidelines, employees can protect both themselves and the organization from potential threats.