Social engineering principles rely on psychologically manipulating people into performing actions or divulging confidential information that they probably wouldn’t in normal circumstances. You may not recognize the sender of a phishing email or the social engineer may pretend to be a trusted source, particularly one of authority, like your boss, your organization’s CEO, a bank, or a government agency, to increase the likelihood that you will feel compelled to respond and provide the requested information or take the requested action. Never click a link or attachment or provide sensitive information unless you can independently confirm the legitimacy of the request.
When phishing and social engineering attempts are successful, they can result in devastating consequences for our organization and employees, including financial harm and reputational damage. So be on the lookout for fraudulent communications—such as emails (phishing), phone calls (vishing), or text messages (smishing)—and remember that a phishing attempt cannot be successful if the recipient navigates it appropriately.
As you go about your work, remember to keep an eye out for potential phishing attempts, which are often characterized by certain red flags, such as:
- Spelling and grammar mistakes
- Minimal or vague details provided about the request
- Requests for money or financial information (including an unusual or unexpected invoice, or a wire transfer to a foreign country)
- Requests for login credentials
- An unusual urgency or time-sensitive nature to the request
- A stated or implied need for secrecy (such as instructing you not to call them over the phone)
- An unexpected request from a vendor to change their banking or payment information and
- A sender’s email address that’s external or contains misspellings
Navigating Phishing Attempts
Never click a link or open an attachment from a sender that you do not know. If you receive an email from someone you do know that seems out of character from something they’d normally send or that contains red flags, call or speak to the sender in person to verify that they did, in fact, send the message. Use a known phone number, not one listed in the email. If you cannot verify that the sender actually sent the message, or if the person who allegedly sent the message informs you that they did not send it, use the Report this Email link in the Inky header to alert IT and delete the email from your inbox without clicking any links or attachments.
And if you’re uneasy about disclosing any requested information, always check with your supervisor or another designated resource before taking action or giving out information.