Phishing is just one type of social engineering, which uses deception tactics in an attempt to manipulate you into providing sensitive information. Today, we received a fax from a company requesting account information, from a client. After following up with the client to confirm legitimacy, or in this case, illegitimacy, we can simply disregard the fax. But I requested permission to share it, as this is another example of social engineering.
Similar to email, this fax had a number of red flags, but also had a number of legitimate qualities (click the image for the full fax). The first red flag, was it was coming from a foreign company. While many organizations do business with companies out of the United States, it’s still a red flag. The document did look like a standard business credit reference, and didn’t request any overly sensitive information (eg. account number), which you’d typically see in a phishing attempt. It also had some hand written items, again, similar to what you may find in a legitimate credit check request.
However, part of social engineering is using legitimate information to build your attack. To think of it criminally, if we had provided them with balance information, they may attempt to contact our client in an attempt to have them make payments to their account. Or they could have used this information in an attempt to fraudulently place an order, within their credit terms.
In summary, you must always be mindful when being asked for sensitive information, whether that be via email, fax, phone, etc. It typically only takes a few moments to validate a request, so please, take that few moments.