Social engineering is the art of obtaining confidential information from individuals through manipulative and deceptive means by mail, email (also known as phishing), or over the phone.
How can you identify a social engineering attempt via email?
There are several elements commonly found in most email-based social engineering/phishing attacks. Here are some red flags to watch out for:
Appearance
- Grammatical errors or misspellings
- Low quality or disorganized graphics or logos
- A generic greeting is used instead of your name
Sender’s Identity
- Sender’s name does not match email address
- Sender’s email domain does not match the company the party claims to represent
Message / Tone
- Request includes opening an attachment, clicking a link, or providing sensitive information
- Urgency or warning of consequences if you do not respond
As hackers have become more sophisticated, their phishing emails have started to look more professional. Vigilance is crucial. If you have any doubts about an email, check with the help desk before responding or clicking on a link.
How can you identify a social engineering attempt via phone?
A caller carrying out a telephonic social engineering attempt may exhibit several of the following characteristics:
Caller’s Identity
- Refusal to provide contact information or complete employee information
- Use of name-dropping or referencing internal technologies or initiatives
Request / Tone
- Requesting proprietary, non-public or personal information
- Intimidation or pressure to provide information quickly
How should you respond if you encounter suspicious activity?
In the case of a suspicious email:
- Do not respond to emails or text messages asking for confidential or personal information.
- Do not open attachments or click on links within suspicious emails from an unknown individual.
- Attackers can target you at work through your personal accounts (like Gmail); follow the same care for all your accounts.
- Limit details disclosed in “out of office” messages.
In the case of a suspicious phone call:
- Verify the caller’s identity. Ask for their name, agency, and employee number and then confirm the information on Mass.gov.
- Take their name and call them back on the contact details listed on Mass.gov (not the details provided by the caller).
- Never provide personal information, details of other employees, or disclose other non-public information about the Commonwealth unless authorized and you are certain about the caller’s identity.
- Never divulge sensitive or other internal information to unknown individuals on the phone.
- Do not feel pressured into sharing information by a caller using intimidation techniques.
If you suspect any malicious activity, report it immediately to your manager and your Secretariat IT Service Desk. Contact information for Secretariat IT Service Desks can be found here.
By following these simple steps, you will avoid unwittingly providing a hacker access to Commonwealth’s network or compromising sensitive organizational, client, or personal data.