Phishing and Social Engineering

What is phishing?

Phishing is a technique that relies on psychology to deceive a person into giving up information or taking an action with an unintended result. This attack is usually done through written correspondence such as e-mail, instant messaging and social media posts. Originally, cyber criminals used e-mail attacks to steal a person's username and password to a website, but over the years these attacks have evolved and presently to go beyond stealing login information. Presently, cyber criminals are sending messages pretending to be a friend, the bank or an acclaimed store, with the purpose of profiting from their intended target, that is YOU.

These messages are intended to deceive you into taking an action that leaves you vulnerable to more attacks, which include:

  • Opening an attachment infected with malware;
  • Clicking on a malicious link that enables the download of malware;
  • Giving the cyber criminal your login credentials to one of your online website profiles;
  • Giving the cyber criminal money with the hope of self-profiting from a proposed venture (e.g. online lottery, gambling)
  • Giving the cyber criminal personal identifiable information (e.g. name, address, bank name, credit card information).

Cyber criminals carefully craft these authentic-looking e-mails and send them to millions of people around the world because they know that the more e-mails they send, the more opportunities they will have to hack a victim of these attacks. However, there is another concept of phishing called spear phishing, where cyber criminals will target select individuals who they have done careful research.

Spear Phishing involves a carefully crafted e-mail sent to an intended victim based on the cyber criminal reading their Facebook or LinkedIn accounts and/or any messages they posted on public blogs or forums. The spear phishing e-mail sent to the intended victim is usually highly customized and always appears relevant to them. This greatly increases the cyber criminal's chance to dupe or hack the victim.

What is social engineering?

Social engineering is another technique that relies on psychology to deceive a person into giving up information or taking an action. Phishing is actually a type of social engineering, but social engineering is mostly performed through face to face conversation and over the telephone. It is a type of deception used by criminals for the purpose of information gathering, fraud or unauthorized access to a system. It is usually more complex because it requires the criminal to take multiple steps and interactions with the victim or victims before achieving results. Similar to phishing, these attacks can be used by criminals to obtain:

  • Login credentials to one of your online website profiles;
  • Money with the hope of self-profiting from a proposed venture (e.g. online lottery, gambling)
  • Personal identifiable information (e.g. name, address, social security number)
  • Your personal account balances and income tax information
  • Confidential information stored at the company with whom you are employed.

Criminals usually craft false identities in order to go unnoticed or to avoid being caught by authorities. Most of these identities include co-workers, police, maintenance workers and insurance investigators. The main theme of these identities usually focuses on authoritative figures who are perceived by the victim as someone who as a right to know the information being asked, which increases the criminals' chances to dupe the victim.

Why should I care?

You may not think about it, but you are a potential target at work, home or while going about your daily routine. Cyber criminals and other criminals will do anything to obtain information from you, including hacking or deceptively gaining access to your devices. The most effective way of detecting and stopping phishing and social engineering is YOU. Educating yourself and being mindful when reading your e-mails are best practices for avoiding phishing. While, awareness of your actions and educating yourself on companies you are either employed or do business, are best practices for avoiding social engineering scams. If you have fallen victim to these activities, contact your Helpdesk, security team or the police authorities immediately.