Spot a Phish – Avoid Social Engineering

Social engineering is a technique to manipulate a person in to performing an action or to divulge information. Many refer to this as People Hacking. Most of these attempts have a ¹target in mind and ²uses a medium of communication.

Targets in Mind

Phishing is the general term where anyone within a group is targeted; a large net is cast to catch whomever it can.
Spear-Phishing targets a specific individual. It could be customer support rep, or Aubry from marketing.
Whaling is spear-phishing aimed at a high value target, like the founder, a board member, or the head of accounting.

Means of communication

Email is the most common form of phishing attempts.

Vishing is social engineering through voice, like a phone call or voicemail.

Smishing is phishing via SMS text messaging or social media instant messaging.

In-Person is the most brazen form of social engineering and can include impersonation of a package delivery person, a custodian, maintenance worker, or even a potential client.

Drive By’s are an indirect form of communication where the attacker sends a package with product inside asking you to scan a QR code to get more information about your order. A drive by can also be a USB thumbdrive drop. Where an attacker mails a USB or intentionally drops a USB in your parking lot or near a main entrance. This can even be done through a seemingly innocent phone charging cable. Hak5’s 0.MG cables look like a normal cable, but when plugged in, it creates a backdoor into your system.

How to Spot a Phish

Knowing how malicious attackers try to trick you is half the battle when trying to spot a phishing attempt.

Techniques Attackers wil…	Look for…
…imitate the expected, a known event or service that you use or have used in the past (services, social media, banks, lenders, school, contractors, holidays, festivals, relevant situations) and attempt to impersonate them.	…unexpected messages or packages coming from an unexpected or unknown recipients asking you to do abnormal things.
…appear as authentic is speech as possible. With the rise of speech recognition tools, it’s very easy to have near perfect grammar in a non-native tongue.	…any inconsistencies. If you know that your boss never responds after 6pm and a message comes through at 9, or is using words that (s)he normally doesn’t use, or has a noticeably unusual amount of misspellings, consider it suspicious.
…appear as if they’re coming from one address when in reality they’re not, this is called Spoofing. Attackers will also use “typosquatting”, using letters and words that are similar to the official address, i.e. ‘bill@amazon.com’ vs ‘bill@amazom.com’.*	…minor misspellings in the sender’s email address. You can hover over the sender address to see the actual sender address too, not just the name. Hovering generally does not work on mobile devices.
…use hyperlink squatting, the text displayed as the link is different to where the link sends you, i.e. https://techstewards.co/spot-a-phish-avoid-social-engineering/ This link looks like it’s pointing back to this article, but if you hover over it, your browser should display the true link in the bottom left, the link is pointed to the world famous “Never Gonna Give You Up” – Rick Astley. **	…typosquatting or the use of URL shorteners by hovering over the link with your mouse. Hovering may not work most phones as a page will render if you tap and hold on a mobile device.
…try to get you to download an attachment, claiming that you the attachment is a PDF showing your most recent balance or an invoice from a contractor. In reality, the seemingly innocent PDF or Excel-looking attachment has a macro enabled or is using a fake file extension that initiates malicious code to download on your device.	…directions to open attachments or install software from an email or SMS message. Instead download invoices from the official site, communicate to the service on their platform; get your subscription status or financial standing from the official website.
…use a sense of urgency to manipulate you to act quickly without assessing whether or not that what they’re asking is a wise thing to do.	…language that mentions deadlines or timeframes, slow down, and assess their validity. Does the time frame make sense? Does the request make sense?
…attempt to get you to scan a QR codes, from an email, an SMS image, or an illegitimate sticker place over a legitimate QR code.	…emphasis to scan QR codes, hesitate, then read the actual link link before visiting the site. Your phone camera should show you the real link that the QR code is pointing to.
…use authority to bully victims into providing information or to do actions on their behalf. They may threaten with punishments or repercussions if you don’t do what they say.	…unexpected behaviour. Would this authority reach out to me this way? Communicate Out Of Band (OOB); use another means of communication to confirm legitimacy.
…use social proof, impersonating legitimate public figure or organization. The organization may be legitimate, but this person is not.	…verbiage that tries to self-validate their legitimacy. Go the to official site to communicate via official channels(app platform, official email address or phone number).
…use scarcity, market a deal, situation, or offer that is limited edition and time sensitive stating that will not be around much longer, when in reality there was no deal to begin with.	…pressure to act fast. Slow down, most likely the deal is too good to be true. If you realize that you are drawn to it, take a step back and try to verify from other sources.
…ask for credentials, including usernames, passwords, multifactor authentication codes, SSN, or other sensitive information.	…requests to provide sensitive information. No official service will ever ask you for your credentials.