Social engineering is a unique threat as it uses psychological means combined with traditional hacking attempts to try and gain a foothold into your organization. Additionally, 98% of cyber attacks rely on social engineering to break into your organization. Because of this it's important to be able to distinguish a social engineering attempt from a legitimate email. Here are a few questions you need to ask yourself when you receive an email you may think is shady.
1. Was the message received unexpectedly?
When you saw the email in your inbox were your surprised? Perhaps it was sent from someone who doesn't typically email you within your business or maybe it's from someone you don't even recognize. If you are shocked or uncomfortable with the request of the email that means it may be best to double check to make sure it's coming from who it claims.
2. Are they requesting something out of the ordinary?
Typically social engineering emails will have a request of some kind within the email. This request could ask you to click on a link, give over certain login credentials, or provide some other form of private information. If the email is asking you to provide something out of the ordinary it could mean they aren't who they say they are.
3. Is the request urgent?
Is the email sender demanding you take action "ASAP" or "right now before it's too late"? This could be a sign that the email is malicious. By making the demand urgent and time sensitive it plays on your fear that if you don't respond you could get yourself or that person in trouble. Make sure that you don't react on emotion when responding to an email like this.
4. How could this request harm your business?
Before complying with a request ask yourself: If this is a phishing attempt how could it hurt my organization? If the request is asking for private information or for you to click on a link you aren't sure is safe, the odds are it won't be beneficial to your business. Remember that one wrong click could harm your organization forever.
Identify Social Engineering should be part of your Security Awareness Training
CorpInfoTech (Corporate Information Technologies) provides small to mid-market organizations with expert I.T. services including compliance assessment, cybersecurity penetration tests, and comprehensive business continuity planning services. CorpInfoTech can help organizations, quantify, create, refine, and mitigate the risks presented by business threatening disasters in whatever form they may be disguised.