Welcome to Cyber Threats 101! This is the first chapter in our A Busy College Student’s Guide to Online Security. We’ll begin by defining what are social engineering and phishing attacks and share expert tips on how to avoid becoming a victim to these attacks.
What is social engineering or phishing?
Social engineering is a technique used to retrieve important, sensitive information by manipulating a victim. Two of the most common forms of social engineering are phishing attacks and spear phishing attacks.
How does a social engineering and phishing attacks work?
If you’ve ever gotten an email from a Nigerian prince, then you’ve received a phishing email. Cyber criminals send phishing emails or text messages to thousands, even millions of people with the hope that a handful of people will fall for it. These messages are fairly easy to identify because they usually do not come from a person or organization you’re familiar with, the contents of the message make no sense and have visible errors, and often contains a suspicious attachment or link.
However, unlike phishing attacks, spear phishing involves a criminal crafting a tailored message to only a few recipients, like the executives of a bank or school. These are harder to identify because they usually include information like your interests and your employer, which is publicly available on your social media profiles, your public resume, or other sources.
How would I know if an email is a phishing email?
To avoid a phishing attempt, you should learn how to identify “phishy” websites and emails. To help you spot a phony email, look for the following:
- The email is from someone you don’t know or from a company you’ve never done business with.
- The sender’s email address has an unusual ending, like “.uz”. Also, beware of spelling errors in the sender’s email address and in the body of the email.
- A sense of urgency to open a link or to submit your personal information with a threat of losing your service or legal ramifications.
- Suspicious links or attachments.
- The email doesn’t include your name or username, or addresses you simply as “Customer” or “Account Holder.”
How can I tell the difference between a real website from a phishing website?
When you’re browsing the web, you should also look for the following:
- Check the website’s URL for any misspellings, unusual words or special characters before or after the company’s name. Also look for an unusual ending, like “.ua”
- Check for a padlock or a key on the far left side of the address bar to see if the website can be trusted.
- Look for “https://” at the beginning of the address URL to verify the site is secured.
- Enable pop-up and phishing protection in your Chrome and Firefox browsers.
What can I do to protect myself from a social engineering or phishing attack?
First, learn how to identify a phishing website or email. If you ever doubt the legitimacy of the email, simply delete it. If you believe you’re a target for a social engineering email, send a separate email to the sender, asking him/her to verify if they really sent the email.
Secondly, never click any links or download any attachments. Report a phishing attack to your school’s IT Department or the Public Safety department.
Finally, keep your accounts secure by using strong passwords, enabling spam filters in your email accounts, and not posting your email address on public-facing social media profiles.
Loved reading this guide? Continue to Chapter 2: Ransomware