Phishing, the practice of sending fraudulent emails in order to induce recipients into surrendering private information and login credentials, is the single most common type of cybercrime today. According to a recent report by the Federal Bureau of Investigation’s Internet Crime Complaint Center (IC3), nearly one-third of complaints received in 2020 were about various forms of phishing (including email phishing, voicemail phishing, text phishing, social media phishing, and fake-website redirects). The prominence of phishing cybercrime indicates that individuals are typical targets for cybercrime, and these attacks are an entry point for large-scale attacks on organizational infrastructure.
A common element in phishing attacks targeting individuals is social engineering— wherein criminals manipulate people by exploiting their psychology and emotions. Common social engineering tactics involve offering an enticement to the recipient (e.g., a bonus, a gift card, or a raise), demanding personal information to avoid a punishment or penalty (e.g., cancelation of a service, a hold on a payment, or even arrest), an urgent request for help from someone posing as a trusted entity (e.g., your colleague has been mugged abroad and needs you to send them a gift card immediately). Typically, social engineering attempts to induce quick action by communicating a sense of urgency. Whenever you see urgent requests for your personal information, login credentials, money, or gift cards, be on guard. The sender is likely trying to use social engineering to manipulate you. Furthermore, requests for gift cards are themselves almost certain signs of a criminal activity.
Phishing and social engineering messages share some common characteristics, including unknown senders, suspicious email domains, poor grammar and spelling, misspelled hyperlinks, threats of consequences for inaction, and other unusual elements that may make you feel that something’s not quite right. Trust that feeling. Slow down, stay calm, remain skeptical, and don’t fall for the cybercriminal’s tricks.
The infographic below offers a brief overview of social engineering red flags. Many of these red flags are common to phishing messages in general. This handy guide serves as a good reminder to stay vigilant against phishing of all types and manipulative criminal attempts employing social engineering. The Office of Information Security (OIS) encourages you to print it out and hang it on the wall as helpful office décor!
Please also refer to the video below and articles from the OIS for more information about phishing and social engineering.
- Social Engineering Red Flags Downloadable PDFs (https://wustl.box.com/s/n9kmetbazlubv5rjpnj6jkn04i7m2wm8)
- Protect Yourself from Social Engineering (https://informationsecurity.wustl.edu/protect-yourself-from-social-engineering/)
- Practical Advice for Avoiding Phishing Emails (https://informationsecurity.wustl.edu/infographic-practical-advice-for-avoiding-phishing-emails/)
- Phishing, Gil the Phish Drops the Bait (https://informationsecurity.wustl.edu/topics/phishing/)
Thank you for helping keep WashU secure.