October 28, 2021
Article at a Glance
- Social engineers use urgency, curiosity, and fear to make people fall for phishing attacks.
- Know how to spot phishing attacks and verify email credibility.
- You can report phishing attacks to the InfoSec team.
- 2-Step Verification protects your email account against unauthorized access, but doesn't solve all phishing problems.
Some of you are probably thinking: We’ve been over this before...when are we going to stop talking about phishing?!
The numbers don’t lie. Phishing incidents increased by 220% last year, and are continuing to rise. We still see phishing attempts at Biola every day, and our simulated phishing tests reveal that 11.9% of Biolans are still likely to fall for phishing.
So, for this last week of National Cybersecurity Awareness Month, we want to provide a refresh on how you can protect yourself from phishing and social engineering.
Why Does Phishing Work?
Phishing is remarkably effective because it relies on social engineering.
Social Engineering is the act of manipulating people into performing actions or divulging confidential information. Attackers want more than just your password. Here are the most common types of social engineering that you might see in your email:
- Imposter Fraud: Attackers will research Biola employees and send emails pretending to be your coworker or boss asking for help. These are usually sent from fraudulent personal email accounts, and escalate to malicious requests.
- Malicious Attachments: You may receive an urgent email from a government agency claiming legal action, or summoning you to court. These emails contain attachments with additional details, but the attached files contain malicious code that will run once it’s opened.
- Financial Scams: Scammers will research which companies Biola works with, and send fake invoices requesting payment to their accounts.
These attacks all have the same thing in common. They elicit a strong sense of urgency, curiosity, or fear, in hopes that you'll act without thinking.
What Can You Do?
Think before you click. Social engineers want you to respond to their phishing attempts without thinking. Here are some things to watch out for:
- Expectation: Were you expecting this email? Do you know exactly why the sender is contacting you, or did it come out of left field?
- Sender email domain: Is the email coming from an @biola.edu address? If not, is it someone who has emailed you before?
- Salutation: Is the email addressing you by name? Or is it using a generic greeting?
- Urgency: Is the message trying to get you to do something immediately, without thinking? Or is it promising some great benefit to you? Don’t trust messages that make you feel nervous, or try to make you take thoughtless action, especially by clicking on a link or attachment.
- Vagueness: Don’t trust messages that lack specific detail. Attackers use vagueness to make a message seem familiar or expected. And if the message mentions “your account” make sure you know exactly which account they’re talking about.
- Links: Does the message contain links or attachments? Did you hover over them and scrutinize the URLs? Does the link point to the address you would expect?
- Signature: Did the sender sign with a specific name, or with something generic like “The IT Team?” Legitimate senders typically use a name.
Verify credibility. If something is unfamiliar or seems too good to be true, take the time to verify what’s going on. For example:
- Call your actual “colleague” or “boss” to verify their request.
- If you get an email from an organization that seems phishy, visit their website directly (rather than clicking on a link) or call them back at a known number.
Report phishing. If you receive a message that you suspect to be phishing, report it.
- If you have the Phish Alert Button enabled in your Google account, click on it to report suspected phishing messages to the InfoSec team.
- If you simply want to report a phishing message, and don’t want a response from IT, you can forward the suspicious message to firstname.lastname@example.org.
- If you want to ask questions about a message and receive a response from IT, contact the IT Helpdesk to create a ticket.
What about Google 2-Step Verification?
You might wonder why we need to worry about phishing if we have Google 2-Step Verification turned on for employees. It’s true—Google 2SV prevents attackers from breaking into your account, because even if an attacker steals your password, they can’t access your account without getting past 2SV.
That said, phishing attacks can do more than try to steal your password or break into your email account: They may be trying to gather information, send viruses, or steal money. The best defense against phishing is your own security awareness.