A social engineering attack is when an individual attempts to take advantage of an unsuspecting person in order to obtain confidential information or the means to access that information.
In a January virtual workshop, Omer Usmani, senior security analyst with the California Community Colleges Information Security Center, covered the most common social engineering methods and what to do if you suspect you have been targeted.
Phishing is a tactic used in 85 percent of social engineering attacks. Though phishing takes many forms, it is most commonly associated with deceptive emails designed to trick the receiver into providing confidential information or inadvertently downloading malicious software.
To avoid getting phished, be wary of clicking links in unsolicited emails, especially those that imply a sense of urgency in regard to passwords or account information. Notice whether the messaging contains grammatical errors or if URLs have misspellings or an incorrect extension, such as .com where a .edu would be expected.
Smishing attacks use phishing techniques to obtain confidential information — such as account number or passwords — through text messaging. For example, persuading the target to contact customer support by phone, download a malicious application or click a link and fill out an online form.
Smishing attacks can be avoided by doing a bit of legwork. Before trusting that the phone number or URL provided are legitimate, go directly to the organization’s website and verify the contact information matches. Similarly, if you were not expecting a delivery from a specific provider, don’t click the tracking link in the text message. Check the status of a shipment by entering the tracking number directly into your browser’s search field.
Direct phone solicitation
In this form of social engineering, an attacker may use ID spoofing to make it look like an incoming call is from a valid phone number. Impersonating is another tactic used to fool the target into thinking they are speaking to someone from a legitimate organization.
Prevention here is simple: Avoid taking calls from unknown phone numbers and never give out personal or confidential information over the phone.
If you suspect you have been targeted or become a victim of a social engineering attack, alert your network administrator immediately.
For more information about tools and services to help colleges reduce the risk of an information breach, visit the CCC Information Security Center.