Most people are aware of the technological side of cybersecurity. They’ve heard about viruses and vulnerabilities and hackers breaking into networks. This way of thinking misses the other potential target of a hacker: the human who uses the computer. Social engineers use human psychology to trick or manipulate people into doing what they want.
Social engineering attacks can be roughly classified into two main categories: phishing attacks and in-person/phone-based attacks. This isn’t to say that attacks have to be one or the other; in fact, some of the most effective phishing attacks involve an email with a phone call as a follow-up. In this article, we’ll discuss some of the red flags associated with common phishing and in-person/phone-based social engineering attacks.
What are Phishing Red Flags?
Phishing emails are one of the most common forms of social engineering. Unlike in-person social engineering attacks, phishers can send out hundreds or thousands of emails per second. Even a low success rate means that the attack is successful with dozens or even hundreds of targets.
What are the Most Common Phishing Red Flags?
Phishing emails give themselves away through a variety of red flags. Among these are discrepancies with the sender’s and recipient’s email addresses, the email subject, the email sending time and the email body.
1. Sender Address
The sender’s email address is a great starting point when trying to identify a potential phishing email. While DMARC and DKIM signatures can help with verifying that an email comes from a certain domain, it doesn’t mean that domain is the right one. It’s important to check that the sender’s email address is actually from the company that it appears to originate from. Common tactics for concealing a false domain include misspellings (like substituting rn for m) or using a domain that looks plausible but doesn’t belong to a company (like companyname-support.com). If an email originates from a lookalike domain, it’s almost certainly malicious.
Once an email address is verified as legitimate, the next thing to consider is if it makes sense that the alleged sender of the email would be communicating with you. It’s possible that the sender’s email address has been hacked and is being used for phishing attacks. If you do not usually communicate with the sender, it might be worthwhile to pick up the phone or drop by in person to verify that the email is legitimate.
2. Recipient Addresses
In addition to the sender address, the addresses that the email is sent and cc’d to is worth a look. If the email is sent to a group, consider whether or not the group makes sense. If it seems to be just a random mix of addresses or the logic of it is weird (like every employee in your company whose name begins with the letter A), then it might be a phishing email.
3. Subject Line
In both legitimate and malicious emails, the goal of the subject line is to grab your attention and provide some context for the email. Phishing emails typically play on human emotions and motivations to increase the probability that they will be opened and acted upon. If an email’s subject tries to create a sense of urgency, greed, fear or other strong emotions, then you have cause for suspicion.
Email subjects should also be considered on a more personal level. If you’ve verified the probable authenticity of the email’s sender, does this subject make sense for the sender? Have you received similar emails from them in the past? Another red flag is if the email references a conversation that you don’t remember. By mixing uncertainty with a sense of urgency, social engineers play on the human propensity to think that they’ve forgotten something and then rush to take action to fix their mistake.
4. Time and Date
Emails include a time and date of sending, which can be an easy red flag for spotting a phony message. If the sender is wishing you good afternoon at 3 AM or sending what appears to be a business email in the middle of the night, there is a good chance that it’s a phishing email. However, if you think there’s a chance of your coworker simply working late on a project, it doesn’t hurt to call and verify the request from the email.
The body of the email is where a social engineer tries to sell you on a course of action. This may be clicking a link, opening an attachment, or taking some other action in the attacker’s interest. Analyzing the call to action in an email is an important first step in identifying a phishing email. If the call appeals to human emotion like greed or fear or tries to create a sense of urgency, then the email should be treated with caution.
Another thing to examine in an email is the salutation. If the email is addressed to “Valued Customer” or “Employee” rather than by name, it’s suspicious, as companies can easily individually address emails. If you’ve received emails from the sender in the past, check if the salutation is consistent with past emails.
Malicious links are a common way for social engineers to get email recipients to visit their dangerous websites. Best practice is to never click on links, but instead to visit the alleged sender’s website directly and then find the target page through internal links. However, this takes time and effort, so most people will ignore best practice and click on links if they look legitimate and make sense in context.
Social engineers can use several different techniques to make a malicious link look benign. One simple way is to make the display text of a link different from the address that the link leads to. It is important to mouseover every link before clicking it and verify that the target address points to the correct domain. If a mouseover link doesn’t match the displayed link, it’s definitely cause for suspicion.
Another method that social engineers use is the creative application of misspellings. Certain combinations of letters (like r and n) look like other letters (like m). It’s also easy to miss when a letter is missing, especially when it’s a repeated letter. This also applies to the top-level domain, like .com and .org. The domain companyname.co might look plausible if their real domain is companyname.com, but these are completely different websites and can be owned by different people.
Email attachments can be useful for business purposes, but they’re also a great vector for a malware infection. Before opening an email attachment, it’s important to consider whether or not the email attachment makes sense in context. If the email claims to have an invoice attached but the attachment is a zipped file, then it’s probably best not to open it.
The next question to ask is whether or not you would expect an email attachment from the sender. If you’ve never received an email with an attachment from this sender, it might be worth checking with them before opening it. The same goes if you’ve never received an attachment of that filetype from that sender before. If you’re accustomed to receiving documents or spreadsheets from the sender and it’s suddenly something else, it’s probably best to verify its authenticity before opening it.
In-Person and Phone-Based Red Flags
While phishing attacks work in some situations, sometimes an in-person or phone-based approach is more effective. Most people have undergone at least some anti-phishing training and know better than to send their password to someone who asks for it by email. But those same people might not think twice about leaving a stranger alone in their office with physical access to their computer, which could be even worse. In this section, we’ll discuss some of the techniques which social engineers use to manipulate their targets.
8. Avoiding Questions
Social engineering is essentially pretending to be something that you’re not. While good social engineers learn as much as possible about their intended role before starting the con, it’s likely that there is information they don’t know that they would if they were legitimate. When faced with questions that they don’t know the answer to, a social engineer will try to deflect the conversation away from it or find a way to turn the question back on the person asking. These evasions are a red flag that may indicate a social engineer.
9. Dropping Names
Most humans have respect for authority and are more likely to follow instructions that they believe originate from someone in authority over them. Social engineers will exploit this tendency by dropping the names of authority figures in the course of conversation or outright claiming that their request originates from an authority figure. The first technique lets them borrow some of the authority figure’s influence (since for example, the CEO likely only has lunch with important people) while the second places their requests within a standard working relationship (employees usually follow management’s orders). An unknown person that claims to be close to someone in authority is a social-engineering red flag that should be checked out.
10. Making Mistakes
One of the simplest yet most powerful social engineering techniques is making a deliberate “mistake.” Most people will go out of their way to save someone from embarrassment. This could include providing the CEO’s schedule to someone who “has a meeting scheduled but must have the wrong day” or plugging in a USB drive to print a resume for a job candidate who spilled coffee on theirs and doesn’t have time to print another. A little bit of prep and a couple of props can set up a situation where a social engineer can convince someone to do something that they’d never do normally.
Another method of using mistakes to get information is to deliberately make incorrect statements. Some people are incapable of allowing a mistake pass and will potentially reveal sensitive information to correct someone’s incorrect statement. Since the social engineer seems allowed to have the information but misremembered, their target doesn’t think twice about setting the record straight.
11. No Callback Number
Spoofing the phone number shown on caller ID is fairly easy and lets an attacker appear to be calling from a trusted number. However, if their target tries to call them back at that number, the call will go to the true owner of the number. If someone absolutely refuses to leave a callback number, it should raise a red flag about the legitimacy of the caller.
12. Requesting Information
The goal of social engineering is getting information, and the easiest way to get most information is by asking questions. If someone is requesting unusual or sensitive information, it’s probably best to verify that they have a right to it.
13. Trading Favors
People don’t like feeling indebted to others, and would much rather have others owe them a favor. Social engineers take advantage of this bias in two ways. By creating or taking advantage of a situation where they can do a favor for someone, a social engineer can use their sense of gratitude or indebtedness to get them to do what they want. On the flip side, by phrasing their request as their target “doing them a favor” or that “they’ll owe you one,” social engineers play off their target’s greed and desire to be liked and owed favors.
14. Turning on the Charm
Flattery and flirtation are powerful ways of motivating people. Someone focused on getting the cute stranger’s number probably isn’t thinking about company policy. Even if the social engineer doesn’t go as far as flirting, people are more likely to do things for people that they like, so a little kindness and charm can go a long way for a social engineer.
Use These Red Flags to Protect Yourself Against Social Engineering
Social engineering is all about manipulating human psychology to get what the social engineer wants. The best way to protect yourself against a social engineer is to slow down, be aware and verify. Most, if not all, social engineering attacks would fail if the target verified that the social engineer was not entitled to the information or action they requested. The red flags described in this article should be reminders that everything is not what it seems if you are dealing with a social engineer.