Welcome to the social engineering module. Social Engineering is a major risk facing both large and small organizations today. It is a method frequently used for hacking because it is highly effective and takes minimal effort. Social engineering attacks are incredibly effective because they take advantage of our most basic human instincts. As a result, staff must be trained regularly on how to identify and protect themselves in the organization from social engineering attacks. Social engineering is the use of deception to manipulate individuals into taking some sort of action or revealing confidential or personal information that may be used for fraudulent purposes. Social engineering techniques range from generic wide-scale attacks to sophisticated, detailed attacks that target a specific audience. An organization's best defense against social engineering is to invest in their people. This can be accomplished by educating users on the motives, techniques, and methods used by cybercriminals. It is very important to build and strengthen awareness for this type of attack and for users to understand the consequences should they fall victim to a social engineering attack. In addition to organizational security awareness, culture plays a very important role. All users should have a positive attitude towards the security of their organization by feeling comfortable with sharing concerns. Knowing how to respond to a security-related incident and knowing how to get support. There are several common social engineering attacks. We will discuss each of these attacks more in-depth in this module. Phishing is a malicious attempt to gain personal or financial information by pretending to be a trustworthy entity. Phishing attacks are typically conducted through e-mails, but can also occur over phone calls, text messages, instant messaging platforms, and social media. There are many types of phishing attacks and the most common that you will come across are usually unsophisticated, target a large audience and the information provided is generic. It is important for you to understand the techniques cybercriminals use to trick victims into falling for even the simple type of phishing attacks. Cybercriminals employ different techniques to trick victims. In this module, we will explore some of the techniques. The most common method attackers use is to disguise the sender of the email so it appears it is coming from a legitimate source. Attackers do this by modifying the display name that is presented in your e-mail application so that it appears to be from someone you trust. Most email clients will show you the actual e-mail address by simply hovering over the sender's display name. Another method attackers will use is to register an e-mail with a similar email address with only a slight difference in spelling. An example would be setting up an email for G- O-O- L- G-E.com instead of google.com. If you are not paying close attention, it is easy to mistake the e-mail as legitimate, and you may be enticed to click a link or download a file. Other times, attackers won't bother to do this at all, and the email will come from a gibberish address. For example, support at XYZ.abc.com. If it is an unfamiliar sender, do not send personal information or download attachments. Also, if the sender's display name does not match the domain name, don't trust it. Oftentimes, there are dead giveaways in the message. That should tip you off that it is a phishing attempt. The first thing to check for is the greeting of the message. Phishing messages will use generic greetings and will typically not addressed targets by name, username or other personal identifiers. Legitimate organizations will typically use your name rather than Dear Mum or Dear sir. Phishing messages typically have a call for action on behalf of the user. The message may make promises or appear to be too good to be true. Additionally, the message may be threatening or create a false sense of urgency, such as needing to reset a password before an account is suspended. This is the attackers' attempt to target our emotions like curiosity and excitement, fear or impulsiveness. If you are unsure about the legitimacy of an email and it is requesting you to perform an action, such as resetting the password, then you should go directly to that site and not click any links from within the email. Although cybercriminals are improving their efforts, spelling and grammar mistakes are still very common phishing emails. Legitimate organizations aren't likely to make these simple mistakes. If an email contains spelling mistakes and poor grammar, you should question the authenticity of the message. The two primary goals of a phishing email are to convince the user to either click a link or download an attachment. It is very simple for an attacker to make a link to a malicious site appear to be a valid website URL. The link may show facebook.com but when clicked will take you to a completely different site. Fortunately, there is an easy way to check the validity of a link. Simply hover the mouse over the URL and the real link address will appear. Keep in mind do not click the link. Simply hover the cursor over the link. If the URL does not match what is showing on the Hyperlink, the attacker is masking the malicious URL with a fake hyperlink. This link may take you to a fake Website. If anyone sends you a link using a URL shortener such as bitly, be suspicious and exercise caution.
