Social engineering via email or phone is an attack vector relying heavily on human interaction and often involves tricking people into breaking normal security procedures. Hackers using this method will contact a victim under false pretenses to psychologically fool them into handing over valuable agency information or their own personal data. This data will then be used to rob, extort, or destroy, depending on what was acquired and what the thieves believe they can get for it. If all they got was access to raw agency data, and destroyed it, that by itself would be bad enough. But if they also got the victim’s personal bank information and/or credit card numbers, well then… goodbye $$. Seems laughable, doesn’t it? That anyone would be ‘dumb’ enough to hand over information like this, and to complete strangers, no less. But people do it. And it happens more often than you think.
Most commonly, social engineering involves email or other communication that invokes urgency, fear, or similar emotions in the victim, leading the them to promptly reveal sensitive information, click a malicious link, or open a malicious file. Because social engineering involves a human element, preventing these attacks can be tricky for enterprises.
Criminals use social engineering tactics because it is usually easier to exploit a person’s natural inclination for trust than it is to discover ways to hack your systems via software. For example, it is much easier to fool someone into giving them their password than it is for them to try hacking the password.
Security is all about knowing who and what to trust. You must learn to know when to take a person at their word, and when not to. You also need to determine that the person you are communicating with, sometimes facelessly on the internet or over the phone, is actually the person they say they represent themselves to be. Are they truly legitimate? If you have any questions about this, should you really be providing your information to them? Especially your private, financial information?
Ask security professionals what the weakest link in the security chain is and they’ll say it’s the human who accepts a person or scenario at face value. It doesn’t matter how secure your house is, if you take the lost guy standing on your porch, asking to use your phone because his cell is our of juice, at face value, without first checking to see if he is legitimate, your are totally exposed to whatever risk he represents once you invite him into your home.
There are many methods available to a criminal-hacker, when attempting to gain access to someone’s private information. Far and away the top three approaches are Phishing Scams with Pretexting, Baiting, and Quid Pro Quo.
Phishing Scams are used mostly via email, though sometimes contact can occur by text or phone. Phishing creates a fabricated emergency scenario (the pretext) requesting private information so the crisis may be solved/alleviated. You might be asked to click on a link and submit secure information, or reply with a PDF of agency data (student numbers? SSN’s?), all for the purpose of solving some problem they say the agency has. It will be a problem you were unaware of until you were contacted. They attempt to instill in you the need for an urgent response, seeking to manipulate you into acting quickly, without considering the consequences.
Sometimes the email will appear to come from someone ‘high-up’ in the organization. This means the return address to the email has been spoofed (made to look like it is from a washtenawisd.org address, but actually is not). Remember, email address and web addresses are easy to spoof, so don’t trust them.
Look at the following real Phishing Scam, based on the Pretext “your email is infected with a virus”:
What’s wrong with this picture? First, the email states it’s was sent by the ITS Helpdesk, but the From address is all wrong. And the To address is not specific enough. cs.stanford.edu is a group, not a single employee. The message offers no proof that “your email is infected by a virus”, only states it. And rather than providing instructions on how to clean the virus from your computer, it states your only option is to update your cs-stanford-edu email account (though how that clears a virus is a mystery!). The link is all wrong (though a throwaway link, shortened by a link-shortener, could have hidden that). Finally, the English is off the mark, and the entire content is just poorly written. All clues that you are being phished!
The above was an actual scam sent to Stanford University. One of many, many scams they received, just in 2015.
Baiting is phishing, but with a promised or free reward. Here it is, in a nutshell:
Yep! A new car!! All you need to do to get it is to hand over your bank information so the ‘company’ can pay the state taxes for you. It’s that easy… right? Riiiight!! Why do they need your bank account information to pay the State taxes?
Top Tip: Ask them to meet you at the Secretary of State’s office where you can pay the taxes directly. You’ll never hear from the scammers again!
Here’s an interesting one, from 2006:
Free USB drives! Sprinkled on the ground in the parking lot. What could go wrong?
Remember what we said about too good to be true? Yeah, you’re getting it! (But not a free USB stick (or a car!))
Quid Pro Quo promises a benefit in exchange for information. You might get a call from someone claiming to be WISD IT, informing you there is something wrong with your agency computer/account/files, and if you just give them your username and password they’ll log in and ‘fix it’ for you. Or maybe they’ll ask you to disable your anti-virus, then go to a certain website, download a ‘fix’ (actually malware), and install it. The result is you’ve given them control of the computer and they can then do whatever they want.
There are many types of attacks out there, with many both variations and combinations of the above scenarios. Knowing what they are, and how subtle they can be is the first big step in preventing manipulation and exploitation.
Hackers and criminals engaging in socially engineered attacks prey upon the human psyche and its innate curiosity to deceive a victim and compromise information. When countering these types of human-centric attacks it is good to remember that all of us are partners on the same team and that knowledge is power.
Here are some tips on avoiding socially engineered schemes:
Phishing emails, identity hacks, and socially engineered information attacks are becoming more difficult to identify these days, but armed with the above knowledge you can begin to avoid becoming a victim.
If you can answer yes to any of the following questions there’s a good chance that you’re looking at a phishing attempt, email or otherwise (one that needs to be deleted, with your trash emptied shortly thereafter).
Following these rules does not guarantee you will forever be safe from email scams. But knowledge is power, and knowing which are the more popular scams and how they work can go far in deflecting their intrusion into your life and disturbing your peace of mind.
If you are having a problem, we want to hear from you!
If you are experiencing a technical problem please navigate to the CSR Ticket Login Page and enter your WISD network username and password in the appropriate fields. After you login, create a ticket describing the problem. The tickets generated by the system send alerts to everyone in Technology, so we will see your ticket and respond.
If your problem is an emergency, call us at x1286 (734-994-8100 x 1286). The phones are manned M-F; 7:30 a.m. to 5 p.m.
Customers requesting support, who are not employees of WISD, should still call the Help Desk number. If we can help you, we will.
© 2018 Washtenaw ISD. All Rights Reserved.