Social engineering is a tactic our adversaries can use to gain access to our networks by targeting the users of those networks. “Hacking the human element,” as it is known in the cyber world, is a full-blown threat to the security of Department of Defense computer networks. Two common methods of social engineering attacks are phishing and spear phishing. Phishing is when an attacker pretends to be a legitimate, trustworthy entity and attempts to acquire your personal information, or trick you into opening a malicious link or file.
One example of this is when someone receives an email from a financial institution titled “Electronic Funds Transfer Notification” with an attachment called “Pay Receipt.pdf.” Do not open this attachment. Did the email actually come from your bank? Did you ever give the bank your government email address? This is likely a clever attempt to get you to open a malicious file.
Spear phishing is when communications are more personalized to the victim. The attacker may use the victim’s name, or appear to be someone known to the victim.
An example of this is when you receive a digitally unsigned email from a trusted friend or supervisor notifying you of an important policy change that requires your immediate attention. The email includes attachments. Be wary…this could be a Spear Phishing attempt! AFMAN 17-1201 directs that emails containing an embedded hyperlink and/or attachment must be digitally signed with a CAC digital signature.
If you suspect you are the target of Phishing or Spear Phishing, you should report it by clicking the “Help Desk” icon on your computer desktop which will open the virtual Enterprise Service Desk application. After reporting the threat, delete the suspicious email. If you are unsure if the communication may or may not be legitimate, contact the sender to verify.
Many of us routinely send and receive sensitive information and it is important to remain vigilant when dealing with such information. While our computers may be protected with the best security measures the Department of Defense has to offer, it’s easy to take security for granted. Keep your guard up! Always know who is asking, why they’re asking, and what they’re asking for. As always, if you’re unsure about an email or message you receive, talk to your security manager for guidance. Maintain a strong information security posture and do your part to keep Ramstein “Cyber Ready 365!”