Detecting Socially-Engineered Messages
Download ACSC Protect: Detecting Socially-Engineered Messages (PDF), January 2018
First published 2012; updated January 2018
- Socially-engineered messages present a significant threat to individuals and organisations due to their ability to assist an adversary with compromising accounts, devices, systems or sensitive information. This document offers guidance on identifying socially engineered messages delivered by services such as email, SMS, instant messaging, or other direct messaging services offered by social media applications.
What are socially-engineered messages?
- Socially-engineered messages are messages sent by an adversary as part of spear-phishing campaigns. Socially-engineered messages attempt to direct users into performing specific actions such as opening an attachment, visiting a website, revealing account credentials, providing sensitive information or transferring money.
- To increase the likelihood of users performing the adversary’s desired actions, an adversary will often go to lengths to make their messages appear as if they are legitimate and from a relevant and trustworthy source. As a result, socially-engineered messages are likely to be work-related, infer a sense of urgency or target a specific interest of users. They may also appear to come from someone known to users such as a colleague, senior manager or authoritative part of their organisation (e.g. the information technology, human resources or finance areas).
Who do socially-engineered messages target?
- While socially-engineered messages can be received by anyone, an adversary often prioritises the targeting of certain users due to either their profile, access to sensitive information, ability to make changes to systems, authority to undertake risky business activities (such as transferring large sums of money) or their job’s requirement to routinely interact with unfamiliar people. Broadly, this can include:
- high-profile individuals (McAfee: Twitter Accounts of US Media Under Attack by Large Campaign)
- senior managers and their staff
- system administrators
- staff members from human resources, sales, marketing, finance and legal areas (CSO: Office 365 Phishing Attacks Create a Sustained Insider Nightmare for IT).
- It should be emphasised that other users should not consider themselves immune from being the recipient of socially-engineered messages. An adversary may message as many users as possible in the hope that at least one message will be successful.
How can socially-engineered messages be identified?
- While socially-engineered messages can be very convincing, there are things to look for to assist in differentiating them from legitimate messages. Users should consider the following questions:
- Do you recognise the sender?
- Are you expecting a message from them?
- Is the tone consistent with what you would expect from them?
- Is the sender asking you to open an attachment or access a website?
- Is the attachment or website relevant to the content of the message?
- Is the website asking you to login to either your email or social media accounts?
- Has a URL shortener been used to obfuscate the true website address?
- Is the sender asking you to perform a specific activity for them?
- Is the sender asking for information they wouldn’t necessarily have a need to know?
- Is the message suspiciously written?
- Do you recognise the sender?
Is the sender asking you to open an attachment or access a website?
- When messages contain links to websites, users should browse to the website themselves rather than clicking on the link in the message or directly copying or typing the link into a web browser. An adversary can use a number of techniques (such as single letter substitutions) to either obfuscate or trick users into accessing a malicious website that they think is legitimate. Never enter credentials into websites if directed there by a link in a message (Express: Gmail Scam).
- When opening attachments from messages, users should be cautious and exercise judgment. If unsure, use a known out-of-band contact method for the sender (for example, a phone number) to confirm their intent to attach files to their message.
Is the sender asking you to perform a specific activity for them?
- Often an adversary will be unable to achieve their goals without interacting with users. This may be due to existing security controls or the complex nature in which an adversary is attempting to compromise a system. For example, if Microsoft Office macros are disabled an adversary may provide users with step-by-step instructions on how to enable them in order for their malicious code to execute when the user opens a Microsoft Word document. Users should treat any requests to change the configuration of systems or perform specific actions as highly suspicious.
- Alternatively, a form of social engineering known as CEO fraud involves an adversary masquerading as an organisation’s CEO and requesting large transfers of money, often when they know the actual CEO will be uncontactable and unable to refute the request (CSO: CEO Fired After 'Fake CEO' Email Scam Cost Firm $47 Million).
Is the sending asking for information they wouldn’t necessarily have a need to know?
- One of the easiest ways of performing social engineering is for an adversary to simply ask users for the information they want by exploiting user’s natural desire to be helpful. Often an adversary will masquerade as someone users might expect to have a legitimate requirement to access the information being asked for. For example, a colleague asking for copies of documents that they accidentally deleted. Alternatively, an adversary may choose to masquerade as someone that users may not necessarily know but could be reasonably expected to have a requirement to access the information they are requesting, such as a new starter with the information technology help desk or a staff member working on the same project but from a different office.
- Users should never disclose credentials such as passwords to other people. Furthermore, users should be suspicious of any requests for sensitive information from people that they do not interact with on a regular basis. Even if users know the person requesting sensitive information, they should still consider whether that person has a legitimate need to know that information, as malicious insiders often leverage their contacts in order to gather information or privileges they shouldn’t have access to (Reuters: Snowden Persuaded Other NSA Workers to Give Up Passwords).
Is the message suspiciously written?
- While an adversary may go to lengths to make their messages appear as if they were legitimate and from a relevant and trustworthy source, another adversary may lack the skills or motivation to do so. Incorrect spelling and capitalisation, abnormal tone and language, or the absence of a specific addressee can indicate that a message is likely to be a socially-engineered message.
How should socially-engineered messages be handled?
- If you suspect that you’ve received a socially-engineered message, do not delete or forward it. Contact your organisation’s information technology help desk or security team and seek advice on how to proceed.
- The Australian Government Information Security Manual (ISM) assists in the protection of information that is processed, stored or communicated by organisations' systems.
- The Strategies to Mitigate Cyber Security Incidents complement the advice in the ISM.
- Organisations or individuals with questions regarding this advice can contact the ACSC by emailing firstname.lastname@example.org or calling 1300 CYBER1 (1300 292 371).