2. Purpose
The purpose of this training is to educate users
about social engineering with a focus on
phishing.
▸ After this training, you will be able to identify
and report phishing attacks.
▸ Apply good practices when on the web
2
4. According to GOOGLE
2.02 million phishing websites have
been registered since the start of 2020
4 www.forbes.com
February
02-FEB-20
March
01-MAR-20
April
19-APR-20
May
10-MAY-20
41,320
53,731
55,008
58,538
6. 6
Fraudsters are exploiting
the opportunity to steal the
Personally Identifiable
Information (PII),
financial information, and
even medical information,
of those looking for
knowledge, protection, and
treatment for the viral
infection.
“
8. 8
More than 700 fake
websites mimicking Netflix
and Disney+ signup pages
have been created seeking
to harvest personal
information from
consumers during the
coronavirus lockdown
streaming boom.
“
www.theguardian.com
9. ▸ Cybercriminals are also impersonating
official bodies such as HMRC and the
World Health Organization in scam text
messages and emails in an attempt to
exploit the coronavirus outbreak.
9 www.theguardian.com
10. Deceptive Websites – Fake Site
10
▸ This fake website url is “uk-covid-19-relieve.com.”
www.fullfact.org
EXAMPLE
11. Deceptive Websites – Real Site
11
▸ The real government’s website has a “gov.uk” URL, not
a “.com” url.
www.fullfact.org
EXAMPLE
13. Top 10 Social Engineering
Techniques
▸ Pretexting
▸ Quid Pro Quo
▸ Honeytrap
▸ Baiting
▸ Phishing
▸ Water-Holing
▸ Tailgating
▸ Spear Phishing
13
14. 14
“Hi there, regarding my
purchase, I have to go to
California, my sister has
mental health issues so I'll
be there for couple of days,
It will be very helpful if you
send this item to new
address (See attachment).
Kind regards.”
“
15. PreTexting
Pretexting is a type of social
engineering attack that
involves a situation, or
pretext, created by an
attacker in order to lure a
victim into a vulnerable
situation and to trick them
into giving private
information, specifically
information that the victim
would typically not give
outside the context of the
pretext.
15 www.wikipedia.org
16. Examples of PreTexting
▸Pretexting is a form of social engineering used to manipulate victims into divulging
sensitive information. Pay attention to generic greetings.
16 www.wikipedia.org
17. How to avoid Pretexting
▸ Avoid sharing personal information on social media. If you have already shared out
this information, request to have it pulled down.
▸ Use authorized and trusted channels to verify your email address and phone number
in case you receive a suspicious message.
▸ Do not click on links sent via emails, instead use trustworthy websites.
▸ Do not disclose your personal information and passwords to anyone if you are
uncertain.
▸ Cancel requests for help from a company if you have not requested assistance.
▸ Find out who has access to your data at work and ensure that it is secure.
▸ Do not open emails from an unknown source.
▸ Secure your computer by installing anti-virus software, email spam filters, firewalls,
and always keep them updated.
17
Tip 1
www.osgusa.com
18. Quid Pro Quo
Quid pro quo attacks
promise a benefit in
exchange for
information. This
benefit usually assumes
the form of a service.
18 www.wikipedia.org
19. Examples of a Quid Pro Quo
▸Fraudsters contact random individuals, inform them that there’s been a computer
problem on their end and ask that those individuals confirm their personal
information, all for the purpose of committing identity theft.
19 www.tripwire.com
20. How to avoid Quid Pro Quo
▸ Invest in modern antivirus and antimalware software that will help prevent and
manage potential intrusions.
▸ Evaluate email filtering software that can identify and remove phishing attacks
before they make it to an employee’s inbox.
▸ Social engineering attacks rely on either the naivete or gullibility of staff. Provide
regular security awareness training that outlines common tactics and strategies
that criminals will use.
▸ Conduct frequent penetration tests to gauge how well your employees are
prepared to handle these various attacks.
▸ Shred company records or any documentation that includes names or employee
information. Consider using trash receptacles or dumpsters with locking
mechanisms.
20
Tip 2
www.everfi.com
21. Honeytrap
An investigative practice
involving the use of romantic
or sexual relationships for
interpersonal, political
(including state espionage),
or monetary purpose. The
honey pot or trap involves
making contact with an
individual who has
information or resources
required by a group or
individual.
21 www.wikipedia.org
22. Example of a Honeytrap
The trapper will seek to entice a target into a false relationship (which may or may not
include actual physical involvement) in which they can glean information or influence
over the target.
22 www.wikipedia.org | www.independent.co.uk
▸Sarah Cook was overjoyed when she met
someone she thought was special on an dating
site. Mrs Cook (not her real name), 52, felt she
had developed a genuine connection with a US
soldier serving in Iraq and was only too happy to
help him out when he needed money. But her
dreams were shattered when Ghanaian police
arrested 31-year-old Maurice Asola Fadola, who
they suspected of posing as the soldier and
conning Mrs Cook out of £271,000.
www.thispersondoesnotexist.com
23. How to avoid a Honeytrap
▸ You need to have the patience and ability to question yourself. Often
scams create a sense of urgency, which tests your ability to take a quick
decision and portrays itself as scenario that there may be huge loss of
opportunity.
▸ These are sure shot signs of scam in motion, which tempts to in making a
wrong decision.
▸ Any offer that sounds too good to be true, but which comes with a sense
of urgency is usually a scam.
23
Tip 3
www.opiniown.com
24. Baiting
Baiting attacks use a false
promise to pique a victim's
greed or curiosity. They lure
users into a trap that steals
their personal information or
inflicts their systems with
malware.
24
25. Baiting
The most reviled form of baiting uses physical media to disperse malware.
25 www.imperva.com
▸Attackers leave the bait—typically
malware-infected flash drives—in
conspicuous areas where potential
victims are certain to see them (e.g.,
bathrooms, elevators, the parking lot
of a targeted company).
26. How to avoid Baiting
▸ Alertness and awareness will serve you well and protect you against
baiting and other social engineering attacks.
▸ Keep your antivirus and antimalware security settings up-to-date so they
flag potentially harmful and malicious cyber threats
▸ Can that URL really be trusted and is it secure and have an up-to-date,
valid security certificate? For example when you use Google Chrome,
check that there is a lock sign in the browser search window. This will
allow you to see if your connection is secure, can be trusted and has a
valid certificate.
▸ Scan your computer regularly to further protect yourself against these
cyber threats and help improve your cybersecurity hygiene.
26
Tip 4
www.keepnetlabs.com
27. Phishing!
A social engineering
attack using a fake
e-mail, often with a
theme, to elicit
interaction (clicking a
link or opening an
attachment) to deposit
malware on the target
system.
27 www.hhs.gov
28. Example of Phishing
Phishing scams are email and text message campaigns aimed at creating a sense of
urgency, curiosity or fear in victims. It then prods them into revealing sensitive
information, clicking on links to malicious websites, or opening attachments that
contain malware.
28 www.imperva.com
▸An email sent to users of an online
service that alerts them of a policy
violation requiring immediate action
on their part, such as a required
password change.
▸It includes a link to an illegitimate
website—nearly identical in
appearance to its legitimate version—
prompting the unsuspecting user to
enter their current credentials and
new password. Upon form submittal
the information is sent to the attacker.
29. How to avoid be Phished
▸ Know what a phishing scam looks like
▸ Don’t click on that link
▸ Get free anti-phishing add-ons
▸ Don’t give your information to an unsecured site
▸ Rotate passwords regularly
▸ Don’t ignore those updates
▸ Install firewalls
▸ Don’t be tempted by those pop-ups
▸ Don’t give out important information unless you must
▸ Have a Data Security Platform to spot signs of an attack
29
Tip 5
www.lepide.com
30. Water Holing
is a targeted social
engineering strategy that
capitalizes on the trust users
have in websites they
regularly visit. ... This
strategy has been
successfully used to gain
access to some (supposedly)
very secure systems. The
attacker may set out by
identifying a group or
individuals to target.
30 www.wikipedia.org
31. Water Holing
This is a social engineering attack that takes advantage of the amount of trust that
users give to websites they regularly visit, such as interactive chat forums and
exchange boards.
31 www.imperva.com
▸Users on these websites are more
likely to act in abnormally careless
manners.
▸These websites are referred to as
watering holes because hackers trap
their victims there just as predators
wait to catch their prey at watering
holes.
▸Hackers exploit any vulnerabilities on
the website, attack them, take charge,
and then inject code that infects
visitors with malware or that leads
clicks to malicious pages.
www.ncsc.gov.uk
32. Water Holing – OceanLotus Example
A watering hole campaign targeting several websites in
Southeast Asia occurred in 2018 and 2019.
This campaign, believed to have been run by the
OceanLotus group, was very large in scale and over 20
compromised websites were found, including the
Ministry of Defense of Cambodia, the Ministry of
Foreign Affairs and International Cooperation of
Cambodia, and several Vietnamese news and blog
outlets.
Attackers added a small piece of malicious code to the
compromised websites, which checked visitors’
locations and only visitors from Vietnam and Cambodia
received the malware.
32 www.securitytrails.com
33. How to avoid Water Holing
▸ Keep all your systems, software and OS’s updated to the latest version
with all patches offered by vendors applied.
▸ Invest in advanced network security tools, such as solutions that leverage
network traffic analysis and perform inspection of suspicious websites in
order to spot attackers attempting to move laterally across the network
and exfiltrate data.
▸ Practice makes everything perfect — so make sure that security
awareness training includes all current threats to your organization, which
should definitely include watering hole attacks.
33
Tip 6
www.securitytrails.com
34. Tailgating Attack
is a social engineering
attempt by cyber threat
actors in which they trick
employees into helping them
gain unauthorized access
into the company premises.
34
35. Tailgating Attack
The attacker seeks entry into a restricted area where access is controlled by software-
based electronic devices.
35 www.kratikal.medium.com
▸A social engineer can pretend to be a
delivery agent from an e-commerce
company or someone from a food
delivery service, holding boxes as an
excuse to ask employees to open the
door.
▸The social engineer would pretend to
make it look uneasy for him to open
the door and would ask any
authorized person to help him as a
courtesy to get entry to the restricted
premises.
36. How to avoid Tailgating Attacks
▸ Make sure to lock your system and other devices while leaving the work
station.
▸ In order to avoid tailgating attacks, do not let unknown people enter
restricted premises of office unless they have appropriate credentials or
authority of access.
▸ Never help strangers to access a secured location when they ask to open
the door or are from delivery services unless they are permitted.
▸ Always keep your access identity card with you while you are on the
premises and make sure to keep it secure from being misused by
unauthorized employees.
▸ Never insert stray or idle external devices like USB or memory cards in
your system before getting them verified by the security administrator.
▸ Implement cybersecurity practices in your organization to prevent
potential cyber risks.
▸ Provide cybersecurity awareness training to employees to make them
understand about cyberattacks and how to recognize them.
36
Tip 7
www.kratikal.medium.com
37. Spear Phishing
Spear phishing is a phishing
method that targets specific
individuals or groups within
an organization.
37 www.trendmicro.com
38. Spear Phishing
It is a potent variant of phishing, a malicious tactic which uses emails, social
media, instant messaging, and other platforms to get users to divulge
personal information or perform actions that cause network compromise,
data loss, or financial loss.
38 www.trendmicro.com
▸Spear phishing attackers perform
reconnaissance methods before
launching their attacks. One way to do
this is to gather multiple out-of-office
notifications from a company to
determine how they format their
email addresses and find
opportunities for targeted attack
campaigns.
▸Other attackers use social media and
other publicly available sources to
gather information.
39. How to avoid Spear Phishing
▸ Educate your employees and conduct training sessions with mock
phishing scenarios.
▸ Deploy a SPAM filter that detects viruses, blank senders, etc.
▸ Keep all systems current with the latest security patches and updates.
▸ Install an antivirus solution, schedule signature updates, and monitor the
antivirus status on all equipment.
▸ Develop a security policy that includes but isn't limited to password
expiration and complexity.
▸ Deploy a web filter to block malicious websites.
▸ Encrypt all sensitive company information.
▸ Convert HTML email into text only email messages or disable HTML email
messages.
▸ Require encryption for employees that are telecommuting.
39
Tip 8
www.kratikal.medium.com
41. a) 1.12 Million
b) 2.02 Million
c) 5.9 Million
d) 10 Million
e) None of the above
______ million phishing websites have
been registered since the start of 2020
✓
42. a) Fox News
b) Disney
c) Amazon
d) Netflix
e) None of the above
More than 700 fake websites
mimicked the following companies
✓
✓
43. a) a form of social engineering used to
manipulate victims into divulging sensitive
information.
b) a new way to text.
c) a pre-filled form.
d) all of the above.
Pretexting is…
✓
44. a) a promise or a benefit in exchange for
information.
b) a new way to text.
c) a French desert.
d) Latin for hello.
e) None of the above
Quid Pro Quo is…
✓
45. a) a way to catch bee honey
b) a trap that involves making contact with an
individual who has information or resources
required by a group or individual.
c) A new web app.
d) None of the above
A Honeytrap is…
✓