A common misconception most people have about cyber attackers is that they use only highly advanced tools and techniques to hack into people’s computers or accounts. This is simply not true.
Cyber attackers have learned that often the easiest way to steal your information, hack your accounts, or infect your system is to simply trick you into making a mistake by using a method called social engineering. Social engineering is when a cyber attacker pretends to be someone or something you know or trust, such as a coworker, your tech support team, your bank, and then uses that trust to get what they want, usually by just asking for it. You can increase your security instantly by recognizing a social engineering attack.
Cyber attackers can launch a social engineering attack using a variety of different methods, including email, messaging, over the phone, or in person. They use numerous tricks to get your attention, such as offering free downloads, announcing you won a contest, or pretending that your computer is infected. In addition, these attacks often appear to be legitimate, such as including an official logo or a formal signature. Their goal? To get you to share information, (like your password) or take a specific action, (like opening an infected email attachment).
You can help to protect yourself and the University by recognizing social engineering attacks before they happen. Let’s look at two common types of social engineering attacks.
You get a call from someone claiming to be from the tech department. He informs you that your computer needs to be updated and that he needs your username and password to install the required updates.
However, this is not really someone from the University. Instead, it is a cyber attacker trying to trick you into giving him access to our systems. He does this by creating a tremendous sense of urgency and pretending to be someone you trust.
Here is another common social engineering attack. You receive an email from your boss explaining that she is traveling. She urgently needs someone to call in human resources; however, she does not have their number. In addition, she explains that her laptop just died, and she does not have access to her work email. She needs you to reply to her personal Gmail account and email her your department’s employee phone book.
In reality, this is not your boss. It’s a cyber attacker who is pretending to be your boss and targeting you via email. Most likely, the attacker got your information and identified your boss’s name by researching the University online. The attacker is trying to trick you into sending them our entire phone list, so they can launch attacks on other people in our department too.
The simplest way to defend against social engineering attacks is to think critically about requests. If something seems suspicious or does not feel right, it may be an attack. Some common indicators of a social engineering attack include:
Someone creating a tremendous sense of urgency. If you feel like you are under pressure to make a very quick decision, be suspicious.
Someone is asking for information they should not have access to or should already know.
Someone pressuring you to ignore or bypass our security policies and procedures.
Something too good to be true. A common example is you are notified you won a raffle, even though you never even entered it.
If you suspect someone is trying to make you the victim of a social engineering attack, do not communicate with the person anymore. Simply hang up the phone or ignore the message and contact the help desk or our information security team right away.
Adapted from SANS Institute, Social Engineering
August 2024, ec