One of the greatest risks remote users will face is social engineering attacks. Social engineering is a psychological manipulation of people into performing actions or divulging personal information. These attacks are made easier during a time of change and confusion such as COVID-19 when learning and working remotely has become the norm.
Phishing is one of the most prevalent forms of social engineering. Phishing messages will often ask you for personal information such as your password, cell phone number, or credit card information. Phishing messages may also try to convince you to perform a certain action, such as click on a link, open an attachment, send money, or buy gift cards. These messages are often crafted to appear like they came from a trusted authority or someone you know and trust.
Did you know that over 90 percent of cyber attacks start with phishing? Phishing messages are becoming more sophisticated and harder to detect. Phishing attacks can trick you into running malicious software that could allow cybercriminals to take control of your computer, log your keystrokes, or access sensitive business, personal, or financial information.
Criminals can also use SMS messaging, known as "smishing," to lure users into providing personal information. Fraudsters are also using the telephone to scam users. The telephone version of phishing is known as "vishing."
Noticeable signs of social engineering and phishing include the following:
-
Messages that ask for personal information, such as cell phone number, username, password, bank account or credit card number, etc.
-
Messages with a sense of urgency. For example, "Your account needs upgraded. Click this link or it will be deleted."
-
Messages that seem suspicious and ask you to click a link.
-
Messages with an attachment you weren't expecting. These can often be an invoice, fax, or shipping notification.
-
Messages that ask you to perform tasks, like buying gift cards.
-
Messages that have a generic greeting rather than using your name (Dear Customer, Dear User, etc.).
-
Messages with poor grammar and spelling mistakes.
-
Messages from another user in the organization that appear to have characteristics of a phish email may be a sign that the user's account is compromised and is being used to phish you.
Avoid social engineering schemes:
-
During these uncertain times it is important to be vigilant when viewing and responding to any type of communication.
-
Never give out usernames, passwords, or other sensitive information via email or telephone.
-
The IT Support Center will never ask for your password via the telephone or email.
-
Make sure you look at the actual email address, not just the display name, when responding to messages.
-
Be cognizant of spoofed login pages. Review the URL before entering your credentials on web pages.
-
Never click on links or open attachments from unfamiliar email addresses.
-
If in doubt, send suspected phishing attempts as attachments to abuse@iup.edu.