Social Engineered Phishing Attacks – What You Should Know

Social Engineered Phishing Attacks

What You Should Know

Social engineering via email or phone is an attack vector relying heavily on human interaction and often involves tricking people into breaking normal security procedures.  Hackers using this method will contact a victim under false pretenses to psychologically fool them into handing over valuable agency information or their own personal data.  This data will then be used to rob, extort, or destroy, depending on what was acquired and what the thieves believe they can get for it. If all they got was access to raw agency data, and destroyed it, that by itself would be bad enough.  But if they also got the victim’s personal bank information and/or credit card numbers, well then… goodbye $$.  Seems laughable, doesn’t it?  That anyone would be ‘dumb’ enough to hand over information like this, and to complete strangers, no less.  But people do it.  And it happens more often than you think.

Phishing LogoMost commonly, social engineering involves email or other communication that invokes urgency, fear, or similar emotions in the victim, leading the them to promptly reveal sensitive information, click a malicious link, or open a malicious file.  Because social engineering involves a human element, preventing these attacks can be tricky for enterprises. 

Criminals use social engineering tactics because it is usually easier to exploit a person’s natural inclination for trust than it is to discover ways to hack your systems via software.  For example, it is much easier to fool someone into giving them their password than it is for them to try hacking the password.

Security is all about knowing who and what to trust. You must learn to know when to take a person at their word, and when not to.  You also need to determine that the person you are communicating with, sometimes facelessly on the internet or over the phone, is actually the person they say they represent themselves to be.  Are they truly legitimate? If you have any questions about this, should you really be providing your information to them?  Especially your private, financial information?

Ask security professionals what the weakest link in the security chain is and they’ll say it’s the human who accepts a person or scenario at face value. It doesn’t matter how secure your house is, if you take the lost guy standing on your porch, asking to use your phone because his cell is our of juice, at face value, without first checking to see if he is legitimate, your are totally exposed to whatever risk he represents once you invite him into your home.

Tactics used

There are many methods available to a criminal-hacker, when attempting to gain access to someone’s private information.  Far and away the top three approaches are Phishing Scams with Pretexting, Baiting, and Quid Pro Quo.

Phishing Scams and Pretexting:

Phishing Scams are used mostly via email, though sometimes contact can occur by text or phone.  Phishing creates a fabricated emergency scenario (the pretext) requesting private information so the crisis may be solved/alleviated.  You might be asked to click on a link and submit secure information, or reply with a PDF of agency data (student numbers?  SSN’s?), all for the purpose of solving some problem they say the agency has.  It will be a problem you were unaware of until you were contacted.  They attempt to instill in you the need for an urgent response, seeking to manipulate you into acting quickly, without considering the consequences.

Sometimes the email will appear to come from someone ‘high-up’ in the organization.  This means the return address to the email has been spoofed (made to look like it is from a washtenawisd.org address, but actually is not).  Remember, email address and web addresses are easy to spoof, so don’t trust them.

Examples:

Look at the following real Phishing Scam, based on the Pretext “your email is infected with a virus”:

Phishing Attack email virus

What’s wrong with this picture?  First, the email states it’s was sent by the ITS Helpdesk, but the From address is all wrong.  And the To address is not specific enough.  cs.stanford.edu is a group, not a single employee.  The message offers no proof that “your email is infected by a virus”, only states it.  And rather than providing instructions on how to clean the virus from your computer, it states your only option is to update your cs-stanford-edu email account (though how that clears a virus is a mystery!).  The link is all wrong (though a throwaway link, shortened by a link-shortener, could have hidden that).  Finally, the English is off the mark, and the entire content is just poorly written.  All clues that you are being phished!

The above was an actual scam sent to Stanford University. One of many, many scams they received, just in 2015. 

Baiting:

Baiting is phishing, but with a promised or free reward.  Here it is, in a nutshell: 

Phishing Attack click here

Yep!  A new car!! All you need to do to get it is to hand over your bank information so the ‘company’ can pay the state taxes for you.  It’s that easy… right?  Riiiight!!  Why do they need your bank account information to pay the State taxes?

Top Tip:  Ask them to meet you at the Secretary of State’s office where you can pay the taxes directly.  You’ll never hear from the scammers again!

Here’s an interesting one, from 2006: 

Phishing Attack usb sticks

Free USB drives!  Sprinkled on the ground in the parking lot.  What could go wrong?

Remember what we said about too good to be true?  Yeah, you’re getting it! (But not a free USB stick (or a car!))

Quid Pro Quo:

Quid Pro Quo promises a benefit in exchange for information.  You might get a call from someone claiming to be WISD IT, informing you there is something wrong with your agency computer/account/files, and if you just give them your username and password they’ll log in and ‘fix it’ for you.  Or maybe they’ll ask you to disable your anti-virus, then go to a certain website, download a ‘fix’ (actually malware), and install it.  The result is you’ve given them control of the computer and they can then do whatever they want.

There are many types of attacks out there, with many both variations and combinations of the above scenarios. Knowing what they are, and how subtle they can be is the first big step in preventing manipulation and exploitation.

Response

Hackers and criminals engaging in socially engineered attacks prey upon the human psyche and its innate curiosity to deceive a victim and compromise information.  When countering these types of human-centric attacks it is good to remember that all of us are partners on the same team and that knowledge is power.

Here are some tips on avoiding socially engineered schemes:

  • Do not open any emails from untrusted sources. Be sure to contact the friend or family member in person or via phone if you ever receive an email message from them that seems odd or out of character in any way.
  • Lock your computer whenever you are away from your desk.  Ctrl-Alt-Delete is your friend!
  • Don’t turn off your anti-virus software.  No AV solution can defend against every threat that seeks to jeopardize user information, but they help protect against the greater majority of them.  Always leave your A-V running.
  • Read the agency privacy policy to understand under what circumstances we are allowed to let a stranger into a WISD building, or have access to a WISD computer (hint:  Never!).  Please contact HR for further information.

Phishing emails, identity hacks, and socially engineered information attacks are becoming more difficult to identify these days, but armed with the above knowledge you can begin to avoid becoming a victim.  

Conclusion

If you can answer yes to any of the following questions there’s a good chance that you’re looking at a phishing attempt, email or otherwise (one that needs to be deleted, with your trash emptied shortly thereafter).

  • Does the message ask for personal information?  Remember, reputable businesses do not ask for personal information—such as social security and credit card numbers—via email.
  • Does the offer seem too good to be true?  If it seems too good to be true, it probably is. Beware of emails offering big rewards—vacations, cash prizes, etc. for little effort.
  • Does the salutation look odd?  Reputable companies will use your name in the salutation—as opposed to “valued customer,” “…to whom it may concern,” or the ever popular “Friend!”  Also, is your name, if included, misspelled? 
  • Does the email have mismatched URLs?  If you receive an email from an organization that includes an HTML link in it, hover your mouse over the link without clicking and you should see the full URL appear, usually in the bottom left corner of your browser. If the URL does not include the organization’s exact name, or if it looks suspicious in any other way, it’s probably a phishing attack. Delete the email.  Also, you should only visit websites that begin with “https” because the “s” at the end indicates advanced security measures are in place. Websites that begin only with “http” are not secure.
  • Does it give you a suspicious feeling?  You’re smart, so trust your instincts when it comes to email.  If you catch yourself wondering whether an email is legitimate, and your instinct is to ignore and delete it—then pay attention to that gut check.  Trust yourself.  You’ll be better for it.

Following these rules does not guarantee you will forever be safe from email scams.  But knowledge is power, and knowing which are the more popular scams and how they work can go far in deflecting their intrusion into your life and disturbing your peace of mind.

 


Contacting Technology for Support

If you are having a problem, we want to hear from you!

Entering a Customer Service Request

If you are experiencing a technical problem with your technology please navigate to the CSR Ticket Login Page and enter your WISD network username and password in the appropriate fields. After you login, create a ticket describing the problem.  The tickets generated by the system send alerts to everyone in Technology, so we will see your ticket and respond.

Calling the Help Desk

If your problem is an emergency, call us at x1286 (734-994-8100 x 1286). The phones are manned M-F; 7:30 a.m. to 5 p.m.

Customers requesting support, who are not employees of WISD, should still call the Help Desk number.  If we can help you, we will.