Social Engineering and Phishing

It is widely believed by hackers that it is easier and less time consuming to get someone to divulge their secrets than it is to brute force ‘crack’ them via technology.  As such, scammers, hackers, and identity thieves often rely on tricking people into giving them access, a technique known as "Social Engineering".  Social Engineering comes in many forms, the most common described here.


Email Phishing

The scam: You receive an email, seemingly from your mail administrator, or systems administrator, or maybe even your bank, or the IRS.  It says that your password is expiring, or your mail quota has been, or is near being exceeded, or if it is your bank it may say something about a resent bill payment, or scheduled transfer failing.  The email instructs you to respond with your username and password so that the administrator can resolve the issue.  There may be a link to a website instead, which then solicits the same or similar information.

Reality: No College official will ever email you, requesting your username, password, social security number, credit card number, or bank account number, and even if they do, DO NOT GIVE IT TO THEM.  In addition, it is unlikely that your bank or the IRS would request information via email either.  Scammers are trying to get that information from you in order to break into your account, access your data or personal finances, and attempt to access other College resources with your credentials.  These emails vary in sophistication, and the victims are often people who are in a circumstance that might make them vulnerable to the attacker.  For instance, a user whose password has, in fact, expired, or a user who is, in fact, near their email quota.

What to do:  Ignore the email and delete it.  If you did happen to fall victim to it, notify the ITS Help Desk immediately.  Remember, it is against policy to disclose your College password to anyone.  It is also against College policy for an administrator to ask you for it.  Lastly, it is against College policy to email any Protected Data (link to data classification policy).  If you sent your bank credentials, you should contact your bank as soon as possible to notify them about what happened.  You may also want to check your credit, or place a freeze on your credit.

Why it matters: Phishing can be used to access all resources you have on campus.  It can be used to access your email account, for instance, which may contain information that is legally protected, or information that is otherwise sensitive in nature.  One moment of weakness and a quick response to a phishing scam can cause your identity, and that of others to be stolen, and can trigger an extensive legal process and investigation.

Phishing as a social engineering hacking vector is on the rise.  Occurrences on campus have increased dramatically recently, and while ITS has, and continues to implement new and increasingly sophisticated methods of thwarting it, it is impossible to catch all phishing email attempts before they arrive in your inbox.  The College already filters out and destroys over 90% of all incoming email.

"Nigerian/419" Scam

The Scam: You receive an email from the heir of an African prince, requiring your assistance in a money transfer.  Or perhaps it was a Kenyan diplomat, stuck outside his country and having difficulty sending money to an embassy in some other country.  In either case, they want your help, and for your help, they'll compensate you with a percentage of the total transfer.

Reality: If you were to exchange further emails with these supposed diplomats / heirs, you'd soon discover that in order to help them, they need cash from you to initiate their so-called business transactions.  They'll promise you you'll receive that much, and more in return, if you only front them an initial amount of money.  The fact is, they are not at all who they claim to be, and if you send them money, they'll simply keep it, and maybe even try to convince you to send more.  You'll never get anything from them in return.

What to do: Ignore the initial emails.  If you fall for it, check with your bank to see if it qualifies as theft and is reimbursable.  You may also wish to check your credit, or subscribe to some form of credit monitoring.

"Nigerian" Scam, the Remix

The Scam: A co-worker, or a study-abroad student emails saying they are stuck in London, or Paris, or Toledo Ohio.  They've lost their passport, and their wallet/purse, and are in desperate need of money so that they may somehow get home.

Reality: Your co-worker, or study-abroad student is likely at home, or if they are abroad, they are likely just fine.  Instead, someone has compromised their email account, and are trying to get you to wire them (the hacker), money.  This is an evolved "Nigerian/419 Scam", and can sometimes be sophisticated.  The person in question could actually be abroad, and so this can seem very real.  Attackers can know this via public postings on social networks like Facebook or Twitter.

What to do: Insist on speaking to them over the phone.  Offer to call collect.  Chances are very good that the person they are claiming to be is fine, and the scammer won't want to speak over the phone.  Any money you send will be lost.

Telephone Phishing

The Scam:  You receive a phone call from someone claiming to be from “Tech support”, or even the Helpdesk.  They are suggesting that you had a computer problem, and that they would like to help.  Maybe they requested your username and password over the phone.

Reality: They likely don’t work for the College at all, and have attempted to steal your credentials.  The Helpdesk is unlikely to ever simply anticipate you having a technical issue, though it can on occasion happen.  More importantly, the Helpdesk will never ask you for your credentials, nor will any College administrator; it is against College policy to tell anyone your password, and also against College policy to request it from someone else.

What to do:  Call the real Help Desk if you fall victim to this, and they will assist you in changing your password immediately.

Social Network Social Engineering

Social networks like Facebook offer unprecedented communication opportunities. They also offer unprecedented opportunities for fraud and identity theft. Watch out for these and other scams:

The "Uncle Jack"

The Scam: All of a sudden uncle Jack is requesting your help, he's stuck in Germany, broke, and without his passport, yet somehow he thinks to get on Facebook and solicit you to send him some money to "save" him.

Reality: Uncle Jack is sleeping in his home, comfortably and quietly as usual. But someone overseas or down the street has hijacked his Facebook account.

What to do: Unfriend Uncle Jack immediately, and encourage other family members to do the same. Why? As your friend, the hijacker has access to your pictures, your videos, all your updates, often times the updates of your friends, as well as your phone number, potentially your address, the names and whereabouts of your family members, all information that could turn an unpleasant Facebook hijacking into a serious crime. Get in contact with the real person, offline and via known good communications channels, and let them know what’s going on.

The "Uncle Jackk"

The Scam: You suddenly get a friend request from "Uncle Jackk", misspelled slightly...perhaps slightly enough that you don't notice, or perhaps perfectly spelled. Oddly though, you recall accepting a friend invitation from your uncle already.

Reality: Someone has created a new Facebook account posing as the real Uncle Jack. Instead, its someone else, and they are stalking the real uncle Jack's friend-list for prey.

What to do: Don't accept, or if you already have, unfriend, and get in touch with the REAL person to let them know what’s happened.

The "Uncle Jack$$$$"

The Scam: Uncle Jack starts chatting you on Facebook, trying to sell you on some great idea he has, could be an investment opportunity, could be some other transaction.

Reality: It isn't uncle Jack. This is a classic "Nigerian" email scam, or "419" scam that has evolved with the Internet, and is now creeping into social networks. Your money will be taken, and you'll never get whatever it is you are being promised.

What to do: Unfriend(!) and again, get in touch with the REAL person.

General Social Networking Security Tips

Limit the number of friends you keep.  Befriending everyone you've ever met may not be wise.  Consider how much personal information is accessible to the people you befriend, and consider that it can also expose the information of 'friends of friends'.  It may be unsafe, and unwise to let your entire neighborhood know when you are on vacation, and as a result, when your house is vulnerable to theft, for instance.  Learn the privacy settings of the social networks you participate in, and tune them to your desired level of comfort.  Something as innocent as a photograph posted on a website can lead a predator to your location, and jeopardize your safety.

Other Social Engineering Techniques

"The Drop"/Baiting

The Scam: You're walking from your car and you happen upon a USB memory stick.  You pick it up, and when you get into the office you plug it in.  You rejoice in the free memory stick, in true "finders-keepers" form.

Reality: That USB memory stick was planted, and contains a virus.  While you rejoice, and pat yourself on the back for being so observant, a program is running on your computer, sending all your data to an off-site hacker-run computer, where it will be sifted through for valuable personal information.

What to do:  If you find a memory stick lying around, don't trust it.  Bring it to the ITS Helpdesk.  Hopefully, someone simply dropped it, but ITS can check on it safely without risking virus infection, and can hopefully find the proper owner (if it was not, in fact, a "drop").

Why it matters:  Virus infections not only take time to clean, but they can compromise important data, and the personal information of students, faculty, and staff.  A simple virus can lead to a data loss incident, with wide ranging implications, including legal implications.