How can socially engineered messages be identified?
While socially engineered messages can be very convincing, there are things to look for to assist in differentiating them from legitimate messages. Users should consider the following questions.
Is the sender asking you to open an attachment or access a website?
When messages contain links to websites, users should browse to the website themselves rather than clicking on the link in the message or directly copying or typing the link into a web browser. An adversary can use a number of techniques (such as single letter substitutions) to either obfuscate or trick users into accessing a malicious website that they think is legitimate. Never enter credentials into websites if directed there by a link in a message .
When opening attachments from messages, users should be cautious and exercise judgment. If unsure, use a known out-of-band contact method for the sender (e.g. a phone number) to confirm their intent to attach files to the message.
Is the sender asking you to perform a specific activity for them?
Often an adversary will be unable to achieve their goals without interacting with users. This may be due to existing security controls or the complex nature in which an adversary is attempting to compromise a system. For example, if Microsoft Office macros are disabled an adversary may provide users with step-by-step instructions on how to enable them in order for their malicious code to execute when the user opens a Microsoft Word document. Users should treat any requests to change the configuration of systems or perform specific actions as highly suspicious.
Alternatively, a form of social engineering known as CEO fraud involves an adversary masquerading as an organisation’s CEO and requesting large transfers of money, often when they know the actual CEO will be uncontactable and unable to refute the request .
Is the sending asking for information they wouldn’t necessarily have a need to know?
One of the easiest ways of performing social engineering is for an adversary to simply ask users for the information they want by exploiting user’s natural desire to be helpful. Often an adversary will masquerade as someone users might expect to have a legitimate requirement to access the information being asked for. For example, a colleague asking for copies of documents that they accidentally deleted. Alternatively, an adversary may choose to masquerade as someone that users may not necessarily know but could be reasonably expected to have a requirement to access the information they are requesting, such as a new starter with the information technology help desk or a staff member working on the same project but from a different office.
Users should never disclose credentials such as passwords to other people. Furthermore, users should be suspicious of any requests for sensitive information from people that they do not interact with on a regular basis. Even if users know the person requesting sensitive information, they should still consider whether that person has a legitimate need to know that information, as malicious insiders often leverage their contacts in order to gather information or privileges they shouldn’t have access to .
Is the message suspiciously written?
While an adversary may go to lengths to make their messages appear as if they were legitimate and from a relevant and trustworthy source, another adversary may lack the skills or motivation to do so. Incorrect spelling and capitalisation, abnormal tone and language, or the absence of a specific addressee can indicate that a message is likely to be a socially engineered message.