The term 'social engineering' is used to describe any attempt to manipulate someone into unknowingly divulging university confidential information or information about individuals.While many social engineering attempts are fairly obvious in their efforts to gather sensitive data or defraud the university, others can be very sophisticated. Social engineering technique: attackers use a variety of different techniques in their attempts to steal sensitive information. For example:
- Phishing: Phishing is when an attacker masquerades as a legitimate business with the aim of fraudulently obtaining private information. Typically emails are sent to lure recipients to bogus websites where they are asked to verify or update personal information such as passwords and account numbers. While some phishing attacks may be poorly constructed, others are very sophisticated so as to mimic genuine business correspondence.
- Phone Phishing: Phone phishing involves cold calling potential victims with the aim of obtaining bank or credit card details. Typically an automated message is played informing the victim that there have been fraudulent activities on their bank (e.g. the University's Bank account). The message may request a call back or transfer you to a human operator posing as a customer service staff to acquire personal or university specific information.
- Spear phishing: spear phishing is a targeted form of phishing attack that involves sending an email to obtain private information or gain access to the university's systems. Unlike a standard phishing attack the cyber criminal already possesses information about his/her victim and is able to construct a credible email to lure the recipient into action. Because of this, spear phishing is much harder to detect and has a much higher success rate than normal phishing attacks.
- Quid pro quo: a quid pro quo attack is when a fraudster attempts to gain access to an organisation's systems' passwords or confidential information by directly calling employees and posing as a member of that organisation's technical support team returning a call to the helpdesk. Eventually the attacker may get through to someone with genuine IT related problems. They then give the user bogus instructions to fix their computer, which can be malware and installing a RAT (Remote Access Tool) to give the attacker access to the network.
- Baiting: Baiting is a method attackers use to gain access to an organisation's internal network. The technique involves leaving an infected device such as a CD-ROM or USB stick on or near or within the organisation's premises. If an employee finds and inserts the device into a computer on the network, malware is installed to give the attacker access to computer and potentially the organisation's entire network.
Question: Yesterday I received a call from what I thought was the university's information services helpdesk explaining that my computer had been infected with malware. They seemed to know a lot about my computer and directed me to download a patch to fix the issue. Today my computer is running slowly and there are strange icons on my desktop. Now I'm worried I have been a victim of an attack. What should I do? And how can I avoid future attacks?
Answer: First of all report the incident immediately to Information Services and the CIST giving them as much information as possible. In the future, never trust any unsolicited call where the caller asks for your details or gives you instructions to 'fix' your computer. If you are never in doubt as to the legitimacy of a call, hang up and contact Information Services directly.
Combating Social Engineering
The following are best practice guidelines to protect yourself and the University from social engineering attacks:
- Always be suspicious of unsolicited emails. Some malicious emails can be very sophisticated and mimic those of legitimate businesses.
- Never click on any link or attachment in an unsolicited email.
- Never click 'Remove me' or 'Unsubscribe' on an email, as this could take you to a malicious site. Instead flag the email as junk or report it to IS and CIST
- Be wary of emails from personal email addresses – particularly if they ask for personal or corporate information. Attackers can easily pose as colleagues by using personal accounts to carry out spear phishing attacks.
- Never give a cold caller university confidential information, pay them for services nor allow them to remotely access your computer.
- If you receive a suspicious or unexpected call, ask for a telephone number and request to call them back. Legitimate companies will be happy for you to contact them. This will give you the opportunity to verify the legitimacy of the caller.
- Remember, a legitimate Information Services support team member will NEVER ask for your personal information or password over the phone.
- Always alert IS and CIST if you discover a removable device lying around on campus.
- Never insert an unknown device into your computer.