By: Nicholas Wilkening
A common misconception people have about cyber attackers is that they only use advanced hacking tools and technology to break into people’s computers, accounts and mobile devices. Unfortunately, that is a misconception; cyber attackers have learned that one of the easiest ways to steal your information or hack your computer is by simply talking to and misleading you. In this edition of CaTT Tales, we will explain how these types of human attacks (called social engineering attacks) work and what you can do to protect yourself.
According to the Information Systems Audit and Control Association (ISACA), a prominent non-profit charged with cyber security, in their 2016 Cybersecurity Snapshot report, the top cyber threat to an organization is social engineering.
Social engineering is a type of psychological attack where an attacker misleads you into doing something they want you to do. The principle behind social engineering and scams in general is that people are the weak link in security – that it can be easier to trick people than to hack into computing systems by force. Social engineering has existed for thousands of years; the idea of scamming or conning someone is not new. However, cyber attackers have learned that using this technique on the Internet, in person, or over the phone is extremely effective and can be used to target millions of people into giving up critical information for access to information systems. Social engineers exploit people’s natural tendency to want to trust and be helpful. They also take advantage of our propensity to act quickly when faced with a crisis.
Some common examples of social engineering are phishing, tailgating, and pretexting. For a detailed description of each of these and a few more, please go to Tripwire’s review of 5 Social Engineering Attacks to Watch Out For.
Detecting / Stopping Social Engineering Attacks
The simplest way to defend against social engineering attacks is to use common sense. If something seems suspicious or does not feel right, it may be an attack. Some common indicators of a social engineering attack include:
- Someone creating a tremendous sense of urgency. If you feel like you are under pressure to make a very quick decision, be suspicious
- You are being asked for personal or private information, your password, financial account information, Social Security Number, or money
- Unexpected/unsolicited email with a link or an attachment
- Someone asking for information they should not have access to or should already know.
- Something too good to be true. A common example is you are notified you won the lottery, even though you never even entered it.
If you suspect someone is trying to make you the victim of a social engineering attack, do not communicate with the person any more. If it is someone calling you on the phone, hang up. If it is someone chatting with you online, terminate the connection. If it is an email you do not trust, delete it. If the attack is work-related, be sure to report it to your help desk or information security team right away.
These are three simplified methods to prevent Social Engineering attacks:
Never Share Passwords – this is not only good advice, but it’s also outlined in AP 3720. Do not share your passwords and if someone asks for your password, they are social engineering you, whether they mean to or not. A Jimmy Kimmel comedy routine about asking people on the street their passwords, is a classic social engineering attack and it underscores how easy it is to get someone’s password/information.
Don’t Share Too Much Information – You are all pieces to the information puzzle that attackers are after. Be cognizant of the who, what, where, when, why, and how, and with whom you are talking to if being requested information. The more willing you are to give up sensitive or potentially sensitive information, the easier it is for an attacker to build a complete picture of you, your department, the College, or the District as a whole.
Verify Contacts – If you’re ever in doubt about who you are talking to and their intentions, ask them to give you their name and a phone number to call them back. Research the legitimacy of the request; go to the website of the company or entity the individual is representing and see if the phone number they gave matches anything on the site. Call the company or entity at their main line and ask about the individual requesting information. Doing a bit of investigative work before giving up any information can help mitigate the possibility of a data breach.
If you’re ever unsure of if you’re being targeted for a social engineering attack, call or email your Campus ACT or District IS team for us to investigate.