These tips are given in association with the U.S. Department of Homeland Security to help individuals remain vigilant for scams related to Coronavirus. Cyber Criminals are sending emails with malicious attachments or links to fraudulent websites to trick victims into revealing sensitive information or to donate to a fraudulent charity. Exercise caution in dealing with an email with a COVID-19 related subject line, attachment or hyperlink, and be wary of social media, pleas, texts, or calls related to COVID-19. Cyber awareness should always be practiced, regardless of the situation.
In a social engineering attack, an attacker users human interaction (social skills) to obtain or compromise information about an organization or its computer systems. An attacker may seem unassuming and respectable, possible claiming to be a new employee, repair person, or researcher and even offering credentials to support that identity. However, by asking questions, he or she may be able to piece together enough information to infiltrate an organization's network. If an attacker is not able to gather enough information from one source, he or she may contact another source within the same organization and rely on the information from the first source to add to his or her credibility.
Phishing is a form of social engineering. Phishing attacks use email or malicious website to solicit personal information by posing as a trustworthy organization. For example, an attacker may send email seemingly from a reputable credit card company or financial institution that requests account information, often suggesting that there is a problem. When users respond with the requested information, attackers can use it to gain access to the accounts. Phishing attacks may also appear to come from other types of organizations, such as charities. Attackers often take advantage of current events and certain times of the year, such as
Vishing is the social engineering approach that leverages voice communication. This technique can be combined with other forms of social engineering that entice a victim to call a certain number and divulge sensitive information. Advanced vishing attacks can take place completely over voice communications by exploiting Voice of Internet Protocol (VoIP) solutions and broadcasting services. VoIP easy allows caller identity (ID) to be spoofed, which can take advantage of the public's misplaced trust in the security of phone services, especially landline services. Landline communication cannot be intercepted without physical access to the line; however, this trait is not beneficial when communicating directly with a malicious actor.
Smishing is a form of social engineering that exploits SMS, or text, messages. Text messages can contain links to such things as webpages, email addresses or phone numbers that automatically open a browser window, email message, or dial a number. This integration of email, voice, text message, and web browser functionality increases the likelihood that users will fall victim to engineered malicious activity.
The sender's address may imitate a legitimate business. Cybercriminals often use an email address that closely resembles one from a reputable company by altering or omitting a few characters.
Generic greetings, such as "Dear Valued Customer", and a lack of contact information in the signature block are red flags. A trusted organization will normally address you by name and provide their contact information.
If you hover over links in the body of the email, and the links do not match the text, the link may be spoofed. Cybercriminals shorten URLs to hide their true destinations or use variations in spelling and domain.
Poor grammar and sentence structure, misspellings, and inconsistent formatting are other indicators or a possible phishing attempt. Reputable institutions have dedicated personnel that produce, verify, and proofread customer correspondence.
An unsolicited email requesting a user to download and open an attachment is a common delivery mechanism for malware. A cybercriminal may use a false sense of urgency to persuade users to download or open an attachment without examining it first.
Some characteristics that make email attachments convenient and popular also make them a common tool for attackers:
Follow these six steps to help keep yourself protected:
Don't click links or download attachments from unsolicited emails. If you did not request the information, delete the email.
Use trusted sources - such as legitimate, government websites for updates about COVID-19.
Always use MFA when accessing resources over the internet. MFA protects against compromised credentials.
Social Engineering is designed to get you to do something you usually would not do, like providing access to a building or your computer. Social engineers can take many forms, a phone call, text message, or email.
Phishing Scams and Smishing attacks are increasing. Like a majority of threats, these are designed to get you to give something up, like your user name or password, money, etc. For our Office 365 clients, Microsoft will NEVER ask for your credentials uninitiated.