For example, it is much easier to fool someone into giving you their password than it is for you to try hacking their password (unless the password is really weak).
What Does a Social Engineering Attack Look Like?
Fake email from a friend, colleague, principal, finance director, coordinator, IT Department etc.
Taking advantage of your trust and curiosity, these messages will:
- Contain a link that you just have to check out–and because the link comes from a friend and you’re curious, you’ll trust the link and click–and be infected with malware so the criminal can take over your machine and collect your contacts info and deceive them just like you were deceived
- Contain a download of pictures, music, movie, document, etc., that has malicious software embedded. If you download–which you are likely to do since you think it is from your friend–you become infected. Now, the criminal has access to your machine, email account, social network accounts and contacts, and the attack spreads to everyone you know. And on, and on.
Don’t become a victim
Keep the following in mind to avoid being phished yourself.
Tips to Remember:
- Slow down. Spammers want you to act first and think later. If the message conveys a sense of urgency or uses high-pressure sales tactics be skeptical; never let their urgency influence your careful review.
- Research the facts. Be suspicious of any unsolicited messages.
- Do NOT click any links in suspicious e-mail, never open attached files (e.g. DOC, DOCX, XLS, XLSX, RAR, ZIP, TXT and other) even when the sender appears to be someone you know, if you aren’t expecting an email with a link or attachment check with your friend before opening links or downloading.
- Beware of any download. If you don’t know the sender personally AND expect a file from them, downloading anything is a mistake.
- Delete any request for financial information or passwords. If you get asked to reply to a message with personal information, it’s a scam.
- Reject requests for help or offers of help
As general rules:
- Never trust anyone that asks you by email to do something for him or her;
- Never trust any incoming email (without you triggering it by a reset password etc.) that asks you to ‘verify’ your identity or username/password even if the email/website looks official;
- If you would have any doubt 1st thing to check is the sender email address (select the name of the sender, you’ll see the email address);
- ALWAYS report to IT such behaviour, so that we can verify and take action.
Tomasz Kędzior
Network Manager, The British School Warsaw