Phishing Attacks in the Engineering Industry

December 27, 2017 by Tyra Appleby


The engineering field consists of various types of disciplines. It has multiple branches but most types of engineers can be placed into one of the following categories: civil, electrical, systems, software, mechanical and chemical. The focus of each branch is different but the overall goal is the same. Engineers build, design, or maintain. Given that definition, engineers can be found in almost every professional industry that exists. They can be found in the healthcare industry, hospitality, information technology, federal and local government, infrastructure, robotics, agriculture, automotive, entertainment, environmental, Department of Defense/military, etc.

Why Phish the Engineering Industry?

Given their existence across multiple sectors and professional industries, if not every one, targeting engineers would be of interest to anyone hoping to gain unauthorized access to a network. Phishing attacks that target engineers are normally used to target the particular industry or corporation they work for. Information systems or other types of engineers that work for government agencies or defense contracting companies may receive phishing emails from state-sponsored bad actors or anyone looking for access to information relating to military or government activities. Contracting companies that perform work for government entities often have access to potentially valuable information. This makes them a target.

There is a growing concern about the nation’s power grids. Grids are maintained by engineers. Targeting engineers that manage the power grids could give potential hackers the access they need. Unauthorized power grid access could be of particular interest to state sponsors. If foreign countries can cause havoc on our way of life, it gives them power.

How the Engineering Industry Is Phished

Phishing attempts against engineers are similar to any standard phishing attempt. So much of our personal information is available via social media and simple Google searches. A potential hacker who may want to attempt to phish an engineering employee of, for example, a government contracting company, could make a list of companies in this industry and start looking for employees of those companies. Once they find employees within the targeted industry, they can try to determine their email address to send them phishing emails. Many companies have email addresses that fit into a certain schema. So, once a potential hacker has a full name of an employee, they may be able to figure out their email address.

A phisher who can deduce business email addresses because of a standardized address protocol can send hundreds of password-reset phishing emails like this one, so make sure your employees don’t fall for it

Many companies use fax confirmation services. When employees use networked equipment to send a fax or scan, they will receive an email letting them know their item was successfully completed. These potential hackers could send emails that state the employee successfully sent a fax and they can click on the embedded malicious link to see the successful fax message. Hackers have also been known to send emails concerning LinkedIn profiles. These emails are getting better and more authentic looking. Another way to try to lure employees into clicking malicious links or opening infected files is sending emails about company benefits. If the potential hackers know the timing with which a company participates in their open enrollment cycle for employee benefits, they can send emails out around this time stating there was an issue with their enrollment. The FTC has warned against open enrollment scams.

FireEye was able to detect spear-phishing attempts against employees of U.S. electric companies. Information has not been released concerning the specifics contained within the phishing emails; however, it was evident that some level of reconnaissance was performed before these emails were deployed.

Steps for Preventing Engineering Industry Phishing

Preventing phishing attempts requires similar steps in every industry. What makes preventing phishing the engineering industry so important is its access to every other professional industry. The best way to protect against phishing attempts is through education, testing, and reporting. 

Education and Training

Hackers have gained a lot of momentum and maturity over the years, and this trend in cyber-crime is only expected to continue to grow as a threat. With the increased use of social media tools and people volunteering to post details about their personal information, hackers can compile information to better form phishing emails. There are also tools available on the dark web that make creating a phishing email easy, even for a novice user.

With such a large potential for attacks, educating employees, or any system users, is important in maintaining the integrity of an organization’s digital assets and network.

It is important that organizations educate their employees on the types of emails they will send. Since hackers use things like open enrollment and potential account issues to try and lure victims, employees should be shown what these types of emails actually look like, or told whether they are ever sent at all.

InfoSec Institute offers a myriad of self-paced tutorials and other training tools, all of which are available to InfoSec account holders, including those with free membership plans. The training provides overviews of phishing email attempts to help learners recognize suspicious emails, and to discover what to do when a questionable email is received. You may view InfoSec’s tutorials and sign up for a free account here. 

Testing and Evaluation

InfoSec’s Security IQ provides an ideal mechanism for performing just such an assessment.

With the PhishSim tools and templates, you can create emails similar to those which may be used by these criminals, then send them to everyone who interacts with your mail system. That helps to determine how they respond to a real threat.

With an extensive collection of existing templates, cloning and then modifying an existing one is probably the quickest and easiest way for a user to start a phish testing campaign. Below is a sample of some of the current email templates for banking (just one of many sectors available), found in InfoSec’s online library, which may be edited as needed.

Whether you create a fake phishing email of your own or adapt one of our templates, you can send these simulated emails directly from PhishSim. Email addresses of those being tested may be directly imported from all your employee records and different campaigns with various false phishing emails and recipient lists may be managed completely within PhishSim with the Campaigns Manager.


Organizations should provide their employees with a method to report phishing attempts. Many engineering firms do provide an email address for that purpose, but it is important that employees know the address. All members of the organization should be apprised of the email address and the procedures for sending the suspicious email.

It should be stressed to employees how important reporting is. This is the information used to create signatures for security devices and tools. Homeland Security, the FBI, Interpol, and other federal and state agencies maintain databases containing all of the information relating to these various attempts, including suspects’ names, metadata, affiliate organizations, and other relevant information. This information is often shared with other law enforcement agencies and some private organizations to help prevent and prosecute cyber-crime.

SecurityIQ offers a highly customized reporting environment, allowing you to track and analyze a series of fabricated “attacks” on your employees

The FTC has also requested current phishing attempts be reported to them. If the phishing scam includes another agency, they also request the attempt be reported to them as well. For example, the open enrollment scams are a current trend in phishing attempts. These attempts have tried to use the Medicare/Medicaid website. The FTC requests that a victim or attempted victim of this scam report it to both them and Medicaid. The same request was made for the IRS scams that have also become popular. If these types of phishing attempts are sent to an employee’s work address, the company may handle any additional reporting requirements for their employees. If so, the organization needs to inform their employees of the reporting requirements.


Phishing is a criminal act that shows no signs of slowing. IT security professionals must remain vigilant in monitoring, training, testing, and reporting these attacks, and novice employees need to take seriously the cybersecurity-related training they receive. Failure to thwart phishing activities could cost an IT worker his or her job, jeopardize a firm’s reputation and financial standing, or even lead to the demise of an organization.

InfoSec can assist with training of staff to counter phishing and other cyber threats. InfoSec’s PhishSim tool, tutorials, and advanced training provide a complete system for combating the ever-present threat of phishing.  Click here to create your account and get started in helping to fight the war against phishing.



Posted: December 27, 2017
Tyra Appleby
View Profile

Tyra Appleby is a CISSP certified lover of all things cybersecurity. After serving 4 years in the Navy as a Cryptologic Technician, she continued supporting various DoD and government agencies as a Systems Security Engineer. She has a passion for writing and research, particularly in the areas of Reverse Engineering and Digital Forensics. When she’s not working, you can find her at the beach with her Rottweiler Ava.