Reading time
12 minutes
What will you learn?
In this component you will become familiar with all actions you can take to always know as far as possible who you are dealing with both online and offline, in order to know for certain that you are sharing data, entering into a contract or are involved in a business transaction of any other form with the right person.
Summary
Social engineering exists in various shapes and sizes. The most well-known forms are phishing, spear phishing and whaling. The techniques used for these have become so difficult to distinguish from the real thing that many organisations have been cheated out of large sums of money as a result of these methods.
In addition to doing the usual checks such as ‘would my bank really ask me to renew my debit card via text message?’ the best way to verify the authenticity of a message is usually to simply phone the person from whom you received the message. And if things still go wrong at some point in time, it is very important to report this immediately to [insert name/person's contact details/department].
Have you ever stopped to think how much there actually is to steal from you and where this could happen to you? Your workplace is not the only place where malicious parties can make off with your data, or through you, the data of others, if you are not careful. Have a look just how long an identity theft can go on...
Does this mean you can no longer trust anyone? Of course you can! Nearly all of your communication with internal and external individuals and organisations is reliable. It's just that if you ever let down your guard, even if only for a moment, it can have very unpleasant consequences. That is why we are going to discuss the following key methods for protecting yourself, your colleagues and the education institution as well as possible against this type of fraud.
Can you guess for each type of fraud what those methods are?
When we hear the word phishing, it often brings to mind the weird emails or text messages everyone receives once in a while – the kind that are not very well written and include a link referring to a strange URL and vague logos. Those are clearly not to be trusted. But these days many phishing messages are quite sophisticated and difficult to distinguish from the real thing. It requires that you, a human being, have a very critical mindset about all communication that comes your way.
Since phishing exists in an endless number of different forms, it would be difficult to discuss them all in detail here. We therefore look for general principles with which you can recognise phishing and simple ways to check whether or not the messages are real. And, of course, we tell you what you must do if things go wrong anyway.
Want to take a test first to find out how well you can recognise phishing attempts? Do this Google phishing test.
What do you think are four most important methods for recognising phishing attempts?
While it may sound silly, this is usually the best indicator of whether or not a message truly originated from sender it appears to originate from. Think logically: would a bank approach you via text message? Would a government institution send you an email without a personal salutation? Does a technician often just walk around in your room without identification? Listen to your common sense and always ask yourself critically whether you can trust the message.
Every day we click on hundreds of links, buttons, attachments and images of various kinds. You almost never really consider carefully whether the link you are clicking on will actually bring you to the right location. And that is probably for the best – otherwise surfing the internet would be highly impractical. But if you don't totally trust a message, then you can just hover over it with your mouse to check the underlying address. If the link goes to abnamro.info, facebook.io, rijksoverheid.gz or another invalid website, then you know you don't need to bother with it.
You should also be careful with email attachments. Many email attachments contain malware, such as ransomware. Certain types of files are extra suspicious when sent as an attachment; these include files in .exe, .zip, .js and .doc format. Word documents are in themselves not harmful, unless the enable macros prompt appears after you open them. Definitely don't do that.
Unfortunately, Windows hides extensions such as .exe by default. You can enable these file extensions so you will be able to see what kind of file it concerns. To enable file extensions, press the Windows button plus ‘R’, type ‘control folders’ in the window and press ‘Enter’. Untick the option ‘Hide extensions for known file types’ in the ‘View’ tab.
Always look closely at the sender of the message, such as the telephone number, email address or website. If these do not correspond with the details of the official sender, definitely don't click on the message. For example, you should not trust an email sent from info@rabobank.net, because you know that Rabobank's official domain is rabobank.nl, and not rabobank.net.
Social engineering techniques are not only used in emails and WhatsApp and text messages, but also in letters and telephone conversations, for instance. You could for example receive a telephone call from an ‘employee’ from the ‘Internet helpdesk’, who wants to help you with a ‘problem’ with your computer. Keep in mind that you can be confronted with social engineering attacks from all possible directions...
Spear phishing is actually even scarier than ‘regular’ phishing. As you know, this does not concern the same ‘buckshot’ approach that regular phishing often does, but instead involves messages aimed at getting a particular employee or student to click on a link, for example. And this is not always because the employee himself has access to particularly sensitive information; the aim can also be to use that person to install malware on the business network, to get hold of data of high-ranking members of the organisation or to gain access to certain files.
Like regular phishing attacks, spear phishing attacks can be carried out in a variety of ways. For example, a father who creates a hotmail address using his daughter's name, in order to request the daughter's report card from her teacher. Or an email, which has supposedly been sent from a management board member's private email address, which arrives in your inbox and addresses you personally, is also an example of spear phishing!
What do you think are the two most important ways to deal appropriately with spear phishing?
Suppose you receive an email asking kind of a strange question, for instance, if you could quickly transfer a certain sum of money or forward certain sensitive information or for ‘temporary access to your account’. If you reply to this message in order to ask whether it was genuine, your email will be received by the fraudster, who would probably be more than happy to reassure you so you comply with their request...
Don't totally trust a message addressed to you personally? Just phone the sender. Nobody will mind if you double check the message's authenticity; better safe than sorry. By phoning the sender, you will know for sure you've got the right person, who will be able to inform you quickly enough whether the message was legitimate.
Any form of phishing can have a big impact, but whaling may well involve the biggest risks of all. The fact that the attacker often spends a long period of time building up a relationship with the high-ranking employee means that, if the attack is successful, the attacker can potentially inflict considerable damage on the organisation.
Whaling attacks can affect both the high-ranking employee and people lower down in the organisation. Both parties are often needed to carry out a financial transaction, send files to an external party or collect certain business information, for example. One of them grants permission, while the other performs the act. It is therefore a good idea for all employees in an organisation to be aware of the characteristics of a whaling attack.
What do you think are the four most important items for consideration with regard to a whaling attack?
Not all employees feel at ease calling a request from a higher-ranking person in an organisation into question. And precisely that is one of the pitfalls of whaling attacks. Due to the hierarchical relationship, there is the chance that the request will be granted more easily. So the same applies here, too: if you don't trust the request, particularly if it is financial in nature, always phone the person from whom the request originated (or have your manager do this).
Just as with spear phishing: never send an email to the address the message originated from for the purpose of verifying the authenticity. If the address is fake, the email will end up right back in the attacker's inbox. Always use the telephone for checking requests.
If you receive a request from a manager or high-ranking individual in the organisation that originates from a private email address, do not reply to it. Anyone can create an arbitrary email address to lead you to believe the message comes from a real person. Only reply to requests that come from an email address from within the organisation and always check for email spoofing.
In case of important or dubious requests, always check whether the email address where the request originated from is real. By spoofing email addresses, malicious parties can easily trick you into thinking that an email actually comes from a manager whereas in reality that is definitely not the case. Hover over the email address with your mouse to reveal the actual underlying email address or check this with the ICT department.
All information about the handling of information at our school is laid down in the 'Information Security Policy'. You can download and view this document via the button below: