Understanding social engineering to protect yourself from bad actors
Social engineering is a method of influencing a subject to perform an action that benefits the influencer. Cyber threat actors utilize social engineering techniques to trick victims into providing sensitive information, granting access to unauthorized areas, devices, or systems, and sending money or other resources for fraudulent purposes. Bad actors can perform social engineering attacks via email, over the phone and in person.
Social engineering accounts for 98% of cyber-related attacks and is the initiating method of over 70% of data breaches. To increase awareness of social engineering, this article explores several common instances of this attack method that have also been experienced at Ohio University.
What are examples of social engineering at Ohio University?
Most commonly, social engineering is experienced by Ohio University students, faculty and staff via email. The University community receives hundreds of thousands of phishing, spam and malware attached email messages in an average week. These messages come in different variations, but they all utilize social engineering methodologies to appear legitimate or to further incentivize the recipient of the phishing message to act.
Bad actors often use features inherent to email technologies to impersonate OHIO employees, such as making an email look like it appeared to come from your domain. When you receive an email from someone that you know, then it is more likely that you will engage with the email. Additionally, phishing messages will attempt to manipulate recipients by including tactics such as a sense of urgency or sharing offers that are too good to be true. If you recognize queues such as these in an email, be sure to verify that the sender of the email is legitimate before proceeding.
Another form of social engineering is vishing, or voice phishing. Much like receiving a deceptive email, social engineering can take place over the phone. A bad actor may call a victim seeking sensitive information. This may be a username and password, a multifactor authentication code, or even requests for banking information. It is important to verify the identity of an individual whom you are speaking with over the phone prior to providing any sensitive information. If you are concerned that you may be speaking with a scammer, you can end the current call and use known contact information to call the individual or company back.
Baiting is a social engineering attack in which a bad actor “baits” a victim to perform an action such as installing malware on a device or sharing personal information.
Using methods discussed earlier in this article, such as making promises that are too good to be true, bad actors lure victims to visit a website or call a phone number to further a scam.
Sometimes websites have malicious web advertisements intended to trick the visitor into thinking they have malware on their device. In these cases, the malicious advertisement will launch a web page that makes a loud noise, flashes a phone number, and indicates there is an urgent issue with a device and claims you must call the phone number immediately. Unfortunately, when the victim calls the number, they are instead met with a scam which eventually asks for money for performing their “service” or the bad actor attempts to access the victim’s device by having the victim install screen sharing software and eventually steal victim information or install malware.
Key takeaways
- Social engineering is a method used by bad actors to trick victims into performing an action or providing sensitive information that they otherwise would not. It is a common attack vector that is the initial foothold for many cybersecurity related breaches.
- Understanding social engineering methodologies and how they are used in your work and personal environments can help you avoid the negative consequences caused by bad actors.
If you have reason to believe that an email is suspicious or if you accidentally fall victim to a social engineering email or text, report it to security@ohio.edu and visit Ohio University’s Information Security webpage to learn more.