Phishing: Social Engineering To Gain Personal Identifiable Information

June 17, 2018

Phishing The primary goal of a social engineer is obtaining computer information from a human target. The objective: to circumvent the controls and breach the system. This, by security experts, comes from what is considered the weakest link in any security program, and that is, the user. The reason behind this is that the user makes active decisions not to comply with policies and procedures of an organization's security program.

Attackers use social engineering tactics to steal the credentials of unsuspecting users and then use these credentials to their own advantage. Attackers have found that tricking someone into giving them Personal Identifiable Information (PII) is much easier than attacking their bank account or other accounts. Most of the time phishing comes in the form of an email. Here are some things to be aware of before you respond to any email that is requesting personal information or banking, credit card or other credentials.

  • The FROM: field.
    • Is the email from someone you don’t know or have a working relationship with?
    • Is the sender from an business you don’t have dealings with, even though others in your workplace do?
    • If you know the sender, is it out of character for them to send a message of this nature?
    • Is it usual for the sender to include embedded hyper-links or attachments in their email?
  • The TO: field.
    • Was the email sent to a group of people you don’t know?
    • Was it sent to people you do know, but the mix is unusual? For example, everyone’s surname begins with 'M'.
  • The DATE: field.
    • What time did the email arrive? For example, it’s time stamp says 1:00 a.m., but you know the person who sent it is usually not up at this time of the morning.
  • The SUBJECT: field.
    • Is the subject align with the content of the message?
    • Is the subject irrelevant to you?
  • The MESSAGE: field.
    • Is the email poorly written and riddled with spelling and grammatical errors?
    • Are you asked to click a hyper-link or open an attachment?
    • Is the message illogical or nonsensical?
    • Is the topic inappropriate or irrelevant to you?
    • Does the email suggest that you look at something compromising or embarrassing?
    • When you hover your mouse over any hyper-links, is the link-to address different to that which is written in the email? (The link-to address can be seen on the lower-left of your browser.)
    • Is the hyper-link the only content in the message?
    • Is the business name in the hyper-link spelled correctly?
    • Is there a reason for an attachment as part of the email?
    • Were you expecting an attachment to be sent?

Take a few minutes and check the email throughly

If you get an email from someone or a company or organization you do not know or don't do business with, take a few minutes to examine the fields mentioned previously. If in doubt, even the slightest, delete the message. Don't take as chance to become a victim. After a while, with some experience, you will come to recognize these suspicious emails and it will become second nature how to handle them. If you receive an email from someone you know and it there is something that just doesn't seem "right", contact the sender and verify they in fact sent this email to you.

About The Author

Steve Flanigan Steve Flanigan is an experienced I.T. Network Administrator with several years of Network Security and Administration in both the Small to Mid-sized Business and Enterprise environments. He has contributed to technical publications and trains users to become more aware of security issues that can be a threat to network security.

Steve currently wears several hats while working as an I.T. Specialist at a college, a Network Administrator for a NetAdminWorld as well as being a blogger for NetAdminWorld and other I.T. organizations.

If you have any questions or comments, please use our Contact form.