For Faculty Archive, For Staff Archive

Three tips to avoid social engineering traps

The days of foreign princes wanting to give us millions of dollars via email are gone. Today, large, organized, international criminal syndicates make massive investments in methods to trick us into believing that we should click on links in innocent seeming email messages. This is called social engineering—using deception to manipulate individuals into divulging confidential and/or personal information. Fortunately, some basic steps can help us avoid social engineering traps.

Following these three basic rules for reading email messages will dramatically reduce your risk of unknowingly falling victim to a social engineering trap.

Slow down – Take the time to determine if the message makes sense. At first glance, a message saying you need to reset your Facebook password (for example) may seem very reasonable. But pause to think before clicking, opening attachments, or entering confidential information. Does the request make sense? Has something changed that requires an action? If it doesn’t make sense, report the message or ignore it.

Pay attention to the details – Look at the message specifics. Does the sender’s email address match the purpose of the message? Be careful–sometimes the differences are subtle, like facebook.com vs. ffacebook.com. Do the links point to a site that makes sense within the context of the message? Do you know and trust the sender?

When in doubt, check it out – If you have any reason to question the message, take the time to verify before responding. Reach out directly to the sender or visit the site rather than clicking the link in the message. Not sure? You can always report the message by emailing informationsecurity@drake.edu and ITS will review it for you. The bottom line is, if you have any doubts, don’t respond directly or open links or attachments.

If we all follow these practices, we can protect ourselves and others and prevent social engineering attacks from succeeding.

ITS will be continuing phishing education this month using emails that mimic real attacks. A short training lesson will be assigned to any faculty and staff who repeatedly click links or open attachments in phishing emails, simulated or not.

— Information Technology Services