Skip to content

Tag: social engineering

Published on

Phishing -- one of the oldest pain points in cybersecurity. Also known as pre-texting, phishing continues to wreak havoc quietly and is as significant a threat as ever.

Despite often being overlooked, phishing has been a mainstay in the cybersecurity threat landscape for decades. In fact, 43 percent of cyberattacks in 2020 featured phishing or pre-texting, while 74 percent of US organizations experienced a successful phishing attack last year alone. That means that phishing is one of the most dangerous “action varieties” to an organization’s cybersecurity health. As a result, the need for proper anti-phishing hygiene and best practices is an absolute must.

With that in mind, here are a few quick best practices and tips to help you recognize and deal with phishing threats.

Know the Red Flags: Emails

Phishers are masters of making their content and interactions appealing. From content design, layout to language, it can be difficult to discern whether the content is genuine or a potential threat, which is why it is so important to know the red flags.

  • Awkward and unusual formatting
  • Overly explicit call-outs to click a hyperlink or open an attachment
  • Strange requests concerning an account, system, or application changes with no prior awareness
  • Requests for personally identifiable information or your login and password
  • Subject lines that create a sense of urgency

These are all hallmarks that the content you received could potentially be a phishing attempt and indicate that it should be handled with caution. Most organizations will communicate multiple times and well in advance of any application transitions, and they will provide websites and other supporting materials and contact information for more details.

All suspicious emails can be sent to GW IT Security at abuse@gwu.edu, and questions about the content or requests in an email can be verified with the GW IT Support Center at 202-994-4948.

Verify the Source

Phishing can occur in a variety of ways. In addition to email, phishers ply their craft through phone calls, text messages, sometimes regular mail. Often, phishers will try to impersonate someone you may already know -- such as a colleague, service provider, relative, or friend to trick you into believing their message is trustworthy.

Don’t fall for it. If you sense that something about an email, phone call, or text message may be out of place or unusual, try to confirm whether the content is authentic and safe. If not, immediately break off communication and flag the incident through the proper channels (at GW, this is forwarding the message to abuse@gwu.edu).

Vishing and Other Phishing Offshoots

Greater awareness about phishing has spawned more diverse phishing efforts beyond traditional email. For example, voice phishing -- or vishing -- has become a primary alternative for bad actors looking to gain sensitive information from unsuspecting individuals. Similar to conventional phishing, vishing is typically executed by individuals posing as a legitimate organization -- such as a healthcare provider or insurer -- and asking for sensitive information. Simply put, it is imperative that individuals be wary of any sort of communication that asks for personal information, whether via email, phone, or chat, especially if the communication is unexpected. If anything seems suspicious, hang up or end the communication immediately.

If you think you may have been a victim of a phishing attack at GW, contact the IT Support Center by phone at 202-994-4948. IT Support Center staff can assist in locking your accounts and guiding you through a password reset, if needed. If you feel you might have been phished on a personal account, contact your provider immediately through a verified number and request that your accounts be reset/locked because your access may be compromised.

For more information on GW IT Security, please visit our security website: https://it.gwu.edu/gw-information-security.

IT Support Questions? For IT support, please contact the Information Technology Support Center at 202-994-GWIT (4948), ithelp@gwu.edu, or visit our website at https://it.gwu.edu. For self-help resources and answers to frequently asked questions, please visit the GWiz knowledge base at https://go.gwu.edu/GWiz.

Original blog content provided by The National Cyber Security Alliance, modified and posted with permission.

Published on

Phishing diagram
From Wombat Security

Phishing

Phishing is a very simple and useful tool in an attacker’s arsenal. Phishing can lead to the exposure of sensitive information such as usernames, passwords, PII (personally identifiable information), and credit card information. So what is Phishing? It is at method used to obtain sensitive information from a victim that leverages social engineering and communications technologies that normal people use every day. There are various methods of phishing, with the most common being email, vishing (voice phishing), and smshing (text phishing). These methods can be blanket attempts that rely on quantity instead of quality (often called campaigns) or they can be very carefully crafted attacks with very specific targets (spear phishing and whaling). Luckily, identifying and defeating these attacks can be simple if you know what to look out for.

Email Phishing

Email is the hacker’s go-to for most phishing attacks; people wouldn’t think twice about receiving an email. Often times phishing emails will contain a malicious link, a malware attachment, or directly ask for sensitive information. In order to trick victims, these emails are crafted to appear from a big company, such as FedEx, Apple, or even from inside your own organization. Attackers use look-a-like or spoof emails to convince the target the email is legitimate. This can lead to compromised systems and/or exposed personal information, which can lead to further exposure of friends, family, and the victim’s organization.

Defeating Email Phishing:

  • Is the company logo/banner/design slightly off?
  • Would this person/company normally be sending you an email?
  • Should they already have the information they are asking for?
  • Never open unsolicited attachments
  • Legitimate Companies should never ask sensitive information through email
  • Use other methods to confirm the communication

Vishing

Voice phishing is growing in popularity and just like other types of phishing, vishing can be automated making it a dangerous tool. Attack examples include an “FBI” automated message, “IRS” tax refund/payment notification, or as a call from your local home improvement company. When attackers get on the line with their target they present a well thought out and engaging backstory to hook their victims. Impersonation is used in most vishing calls; attackers will impersonate IT staff, management in your company, and HR to appear official.

Defeating Vishing:

  • Ask the caller to provide information only you and they would know to ensure the caller’s identity
  • Never give sensitive information over the phone
  • If the call is suspicious, contact someone close to the individual, or through other means
  • Offer to call the individual back at the number in your staff/corporate directory, or at the number listed on the legitimate website

       

Smshing

Smishing sends texts to the targets phone in hopes of them clicking a malicious link, downloading malware, or returning sensitive information. Texts follow email phishing outlines and can be identified similarly. Many victims fall for smishing because they are unaware of the tactic and more trusting of texts. Don’t trust it more just because it’s a text message.

Defeating Smshing

  • Never provide sensitive information over text message
  • Avoid following random links
  • If you are unsure, reach out to your security team, or the communicating company
  • Do not call the number that texted you

Spear-phishing, Whaling & Campaigns

Most individuals come into contact with phishing campaigns. The goal of campaigns are to reach as many people as possible and hope for a hit. Whereas, spear phishing and whaling are techniques aimed at selected groups of individuals and executives. These are well planned, crafted, and executed, and shouldn’t be taken lightly. They aim to compromise victims with privileged access to systems, accounts, and resources. Victims typically don’t have the time to review these carefully crafted emails highly specific to the target and fall for the trap.

Defeating Spear-phishing and Whaling

  • Report suspicious emails looking for information to security
  • Verify communication with the contact through other methods
  • Attackers often impersonate colleagues, friends, and family
  • Always assume you’re a target
  • Opt for face to face meetings when possible (online or in person)

Published on
What is Social Engineering?

We frequently hear about cyber-attacks on organizations using highly technical and sophisticated methods, involving malware and vulnerabilities that most people don’t understand. However, what we don’t typically hear about is how the attacker got in. According to Verizon’s Data Breach Investigation Report, in 2019, a third of all data breaches involved social engineering attacks to include phishing, pretexting, and a variety of other social engineering methods.

Social Engineering involves gaining the trust of unsuspecting users via manipulation or trickery, in order to gain unauthorized system access, credentials, or commit fraud. Attackers will attempt to take advantage of a multitude of psychological traits such as carelessness, curiosity, empathy, complacency, and most frequently ignorance.

Why does it Matter?

Social Engineering attacks are more common than you might think and odds are that you will encounter one yourself in some form or another. Failing to recognize a social engineering attack could range from a minor inconvenience to a life changing event. Compromise from such an attack could lead to needing a password reset to having a bank account drained of funds, or could even be the launching point for the next massive data breach that makes headlines worldwide.

The massive Target data breach of 2013, which exposed the credit card and personal information of 110 million people, was a result of a contractor falling for a phishing email, one of the many social engineering methods attackers use. The DNC email leak in 2016 was caused by a well-crafted but fake password reset request from Google; sent to a high ranking DNC official and resulting in the leak of highly sensitive information regarding the Democratic campaign.

Social Engineering is a large threat to the safety of not just large organizations, but also the individual.

Social Engineering Life Cycle Image

Social Engineering Life Cycle

Much like software development and risk management, many cyber-attacks follow a lifecycle approach; with a continuing cycle of input and output constantly improving the process. Social engineering is no different and even has a few lifecycle models dedicated to it. In its simplest form however, the Social engineering lifecycle follows four basic phases: Investigation, Hook, Play, and Exit.

The Investigation phase is when an attacker performs their recon. They might choose their targets based on position within an organization, ease of access, or they might choose a wide range of targets just to see what sticks. After choosing a target they will use public information to learn as much as possible. Sources such as social media, company websites, and other profiles provide a wealth of information for attackers to use.

The Hook phase involves the initial interaction with the target; ranging from email to in person contact. During the hook, the attackers focus is on spinning a web of lies to manipulate victims at their will.

During the Play phase an attacker gains a stronger foothold and carries out the attack. Depending on their goals, they will begin disrupting or stealing sensitive and valuable data.

The Exit phase points to the end of the lifecycle. The Social Engineer will attempt to remove all traces of their presence and bring an end to their charade. Everything the attacker has gained or learned during the process is then used during a new attack cycle to more effectively con another victim.

Social Engineering and unaware users provide a vast attack surface that can be easily taken advantage of.  Meaning that you need to do everything you can to be prepared for and protect yourself from the conmen of the internet age.

Viewing Message: 1 of 1.
 Notice

This site uses cookies to offer you a better browsing experience. Visit GW’s Website Privacy Notice to learn more about how GW uses cookies.