Search Information Security site

 

Main menu

Be social, but don't get social engineered.

In February, love is in the air, and the temptation to go out and be social with your loved ones may cause you to lower your guard to social engineering scams. 

What is Social Engineering?

Social engineering is when a cybercriminal obtains access, information, or resources that they shouldn’t have by manipulating people rather than technology. While you may think the most common way hackers breach a system is by breaking through a firewall or using a fancy password cracking algorithm, more often than not, breaches occur as the result of social engineering.

Instead of targeting technology barriers, hackers “engineer” a way to manipulate people. The bad actors fabricate a “social” situation (usually a problem the hacker creates themselves!)— hence the name social engineering.

Simply put, the social engineer makes up a really convincing story to trick you into doing something for them or granting them access to private information.

Examples of Social Engineering

While you may think the most common way hackers breach a system is by breaking through a firewall or using a fancy password cracking algorithm, more often than not, breaches occur as the result of social engineering.

Phishing

Phishing is by far the most common form of social engineering— with the most popular type being email scams. These emails bait you into sharing private information, clicking a link, or opening an attachment that infects your device with malware. Click here to learn more about phishing and how to recognize and defeat phishing attacks.

Smishing and Vishing are versions of phishing that occur via text message and voice call, respectively. They can have caller ID display as whatever name they choose, so they can pose as someone you trust and tell you that they got a new number or need you to do something for them.

EXAMPLE: You receive an “urgent” voicemail from Janet from another department saying her database is down and she needs account information about a particular customer ASAP. When you call “Janet” back, you share personal information with the phisher, who uses that data to gain access to that UVA system. (Click here for an example we recently posted.)

Physical breaches

Social engineers sometimes pose as employees or friendly faces like delivery drivers to gain entrance into a building, then when left unattended inside, compromise computers or rummage through private paperwork.

EXAMPLE: Someone wearing a mail person uniform comes up behind you juggling a stack of packages. You kindly hold the door open for them as you enter your office, but it turns out the mail person was a cybercriminal in disguise. What’s in the packages? Hacking devices, which they plug into computers and steal information. 

 

The Psychology of Social Engineering

For those of you interested in the psychology behind the cybercrime, here are some of the psychological concepts that social engineers use to convince people to willingly and unknowingly hand over protected information. 

Priming

Priming is when a social engineer emotionally charges the conversation to break the ice to appear as more legitimate. This makes their victims more likely to answer their questions. Maybe they start the conversation by sharing how rough their morning has been or play an audio file of children running around in the background, then pretend to ask them to quiet down because Mom/Dad is on the phone. Kids, right?

Framing

Do you remember infomercials (back when we used to watch a 20-minute ad for OxiClean just because we loved Billy Mays)? They would never just straight-up tell you the price of the product. Instead, they would say “Six easy payments of $12.99!” This is framing; the information is being presented in a way that manipulates the way that you will receive it. $78 might seem ridiculously steep, but six easy payments of $13 seems like a steal.

Cybercriminals do the same thing; they will present you with information or requests in clever ways designed to engineer the way that you will react. Next time you get an email from a stranger who can’t afford to feed his family unless you send him an iTunes gift card, think to yourself, “if he had just plainly asked me for this, would I have said yes?”

Loss Aversion

If, at the height of the buzz around Tidying Up with Marie Kondo, you set out on a decluttering spree only to find yourself unwilling to part with basically anything, you are not alone. Human beings are extraordinarily averse to parting with things that they own. Social engineers will use this to their advantage by dangling the loss of something - often money - in front of their potential victim, clouding their judgment and making them more willing to cooperate or share personal information.

Authority Bias

How long did it take you to realize that your parents are not always right? People tend to reflexively trust the opinions of those with authority over them; they’re also much more likely to act against their own self-interest when asked to do so by an authority figure. Social engineers will often pose as an authority figure such as an department chair or dean to discourage potential victims from scrutinizing their requests.

Familiarity Bias

You’re at a diner ordering a soda and the waitress asks if you want Coke or a Dacey Fizz. Which do you pick? The Coke, right? When faced with a choice, people are significantly more likely to choose (and trust) the most familiar option. Social engineers can use this to their advantage by laying out multiple courses of action and trusting that you’ll pick the most familiar - the one that they want you to pick.

 

This information was adapted from Living Security's Social Engineering Guide. 

 

If you believe you have fallen victim to a social engineering attack, report it immediately. 

Report an Information
Security Incident

Please report any level of incident, no matter how small. The Information
Security office will evaluate the report and provide a full investigation if appropriate.

Complete Report Form