Phishing & Social Engineering Awareness at Ernst & Young – Siltain13

Overview

Phishing and social engineering attacks are among the most common and effective tactics cybercriminals use to gain unauthorized access, steal sensitive information, or compromise EY systems. These deceptive techniques exploit human trust and curiosity, making employee awareness and vigilance essential to safeguarding our firm.

This article will help you understand what phishing and social engineering attacks look like, how to recognize them, and what steps to take if you encounter a suspicious email or communication.

What is Phishing?

Phishing is a form of cyberattack where attackers impersonate trusted individuals or organizations to trick you into revealing sensitive information, clicking on malicious links, or opening harmful attachments.

Phishing emails may appear to come from EY executives, well-known companies, or familiar contacts and often contain urgent requests or alarming messages designed to provoke quick action.

What is Social Engineering?

Social engineering is a broader category of attack techniques that manipulate people into divulging confidential information or performing actions that compromise security. This can include phone calls, text messages (SMS phishing or “smishing”), or in-person requests that appear legitimate.

Common Signs of Phishing & Social Engineering Attacks

Be cautious when you encounter:

Unexpected or unsolicited emails, especially those asking for sensitive information or urgent action.
Poor spelling, grammar, or formatting errors in emails.
Email addresses or links that look suspicious or slightly misspelled.
Requests for login credentials, financial information, or personal data.
Unexpected attachments or links urging you to download software or open files.
Messages creating a sense of urgency, fear, or curiosity ("Your account will be suspended," "Click now to avoid penalties").

How to Protect Yourself

Always verify the sender’s email address carefully. Check for subtle variations or spoofed domains.
Hover over links (without clicking) to preview URLs and confirm they lead to legitimate EY or trusted sites.
Never provide your EY credentials, personal data, or financial information via email or phone unless you are certain of the recipient’s identity and authorization.
Use EY’s official communication channels to confirm unusual or suspicious requests (e.g., call the person or team directly).
Keep your software, antivirus, and security applications updated.

What to Do If You Receive a Suspected Phishing Email

Do NOT:

Click any links or download attachments from the suspicious email.
Reply to or forward the email to colleagues.
Attempt to investigate the email’s origin on your own.

Do:

Report it immediately using EY’s established process:
- Use the “Report Phishing” button available in your Outlook toolbar (if enabled). This automatically forwards the email to the EY Security Team for analysis.
- If you do not have the button, forward the email as an attachment (do not just forward inline) to securityawarenessteam@ey.com (or your internal security reporting email address).
Delete the suspicious email from your inbox after reporting.
Notify your manager or the IT helpdesk if you clicked on a link or believe your credentials may be compromised.

What Happens After You Report a Phishing Attempt?

The EY Security Team will investigate the incident, block any malicious domains or senders, and take appropriate action to protect employees and our systems. Reporting helps us quickly respond to threats and prevents others from falling victim.

Additional Resources

Complete the regular Security Awareness Training, which includes updated phishing simulations and tips.
Review EY’s Phishing Prevention Policy on the intranet.
Visit the EY Security Awareness Help Center for ongoing tips and alerts.

Remember: Phishing and social engineering attacks rely on trust and haste. Always be cautious, verify requests, and report suspicious activity promptly. Your vigilance is crucial to protecting EY’s information and reputation.