Skip to Main Content

How to Avoid Social Engineering Attacks

February 4, 2021

phishing conceptOne of the most-attended sessions of the recent Information Security virtual workshop focused on social engineering. In the presentation, Omer Usmani, Senior Security Analyst with the California Community Colleges Information Security Center, covered some common methods of social engineering attacks and what to do if you suspect you have been targeted.

A social engineering attack is when a bad actor attempts to take advantage of an unsuspecting person in order to obtain confidential information or the means to access that information.

Phishing Emails

Phishing is a tactic used in 85 percent of social engineering attacks, according to the 2020 Verizon Data Breach and Investigations Report. Though phishing takes many forms, it is most commonly associated with deceptive emails designed to trick the receiver into providing confidential information or inadvertently downloading malicious software.

To avoid getting phished, be wary of clicking links in unsolicited emails, especially those that imply a sense of urgency in regard to passwords or account information. Notice whether the messaging contains grammatical errors, or if URLs have misspellings or an incorrect extension, such as .com where a .edu would be expected.

Smishing Texts

Smishing attacks use phishing techniques to obtain confidential information — such as account number or passwords — through a text message. For example, persuading the target to contact customer support by phone, download a malicious application, or click a link and fill out an online form.

Smishing attacks can be avoided by doing a bit of legwork. Before trusting that the phone number or URL provided are legitimate, go directly to the organization’s website and verify the contact information matches. Similarly, if you were not expecting a delivery from a specific provider, don’t click the tracking link in the text message. Check the status of a shipment by entering the tracking number directly into your browser’s search field.

Vishing Phone Calls

Vishing is a form of social engineering in which an attacker may use ID spoofing to make it look like an incoming call is from a valid phone number. Another vishing tactic involves impersonation to fool the target into thinking they are speaking to someone from a legitimate organization.

Prevention here is simple: Avoid taking calls from unknown phone numbers and never give out personal or confidential information over the phone.

Be Alert

Training to avoid becoming the victim of a social engineering attack is one of many information security topics covered in Securing the Human training modules available in the Vision Resource Center. Technology Center employees that have a Butte College email address can access the training modules by logging into the VRC here.

If you suspect you have been targeted or become a victim of a social engineering attack, alert your network administrator immediately.