Expect social engineering attacks in all shapes, sizes and disguises! These attacks do not occur only through e-mail. The following are a few ways to identify social engineering attacks and their telltale signs:
- Phishing isn’t relegated to just e-mail
Cybercriminals also launch phishing attacks through phone calls, text messages, and online messaging applications. Don’t know the sender or caller? Does it seem too good to be true? It’s probably a phishing scam. - Know the signs
Does an e-mail contain spelling and grammatical errors, a call to immediate action, or a request for sensitive or confidential information? It’s probably a phishing scam. If in doubt, call the sender at a trusted phone number to confirm the legitimacy of the message received. - Verify the sender
Confirm the legitimacy of the sender’s e-mail address, and be suspicious of e-mail which does not come from the usual contact point for a sender. Hovering over the sender’s address will allow you to confirm that the address has not been spoofed. For example, if you hover over a sender’s address which displays as chase.com, and the address that appears is chase@yahoo.com, the message is forged/spoofed. - Don’t be duped by aesthetics
Phishing e-mails often contain convincing/familiar logos, links, legitimate phone numbers, and e-mail signatures of actual employees. However, exercise caution when any e-mail calls for urgent action or the disclosure of sensitive information. Look for the telltale signs of phishing before you click on any embedded elements or open any attachments. If in doubt, call the sender at a trusted phone number to confirm the legitimacy of the message received. - Never, ever share your passwords. Did we say never? Yup, never!
Your passwords are identifying data, and the key to your data and the data of others to which you may have access. Remember NYU IT will never ask for your login credentials. - Don’t talk to strangers!
Receiving calls from people you don’t know? Are they asking you to provide information or making odd requests? Hang up or verify the legitimacy of the call by using a trusted phone number to contact the caller. - Don’t be tempted by abandoned flash drives
Cybercriminals may leave flash drives lying around for people to pick up and use. When inserted into a device, the flash drives will install malware such as a keystroke logger, designed to steal credentials. You may be be tempted to insert a found flash drive to find it’s rightful owner. Be wary, it could be a trap. - See someone suspicious? Say something
If you notice someone suspicious walking around or “tailgating” someone to gain access to a locked area, call NYU Public Safety at 212-998-2222.
Suspected phishing messages may be reported to phishing@nyu.edu