What is Social Engineering?
Social Engineering is the practice of deceiving someone with the express intent of breaching some level of security, either personal or professional, via the following means:
- In person
- Over the phone
- Using fake websites
- Using phishing attacks or spam (email)
- Using text message-base attacks
Two classic examples of in-person social engineering are piggybacking and shoulder-surfing, which both rely on the human tendency to trust.
An example of phone call phishing, close to home.
FTC information about phishing via phone calls.
An eye-opening article about spoof/fake websites. Note: Check out the side-by-side images of the real and fake websites
More information about phishing
An example/explanation of a phishing email.
More information about SMSmishing (SMS Text Phishing).
An example/explanation about SMSmishing.
Social engineering techniques are considered con games which are performed by con artists. The targets of social engineering may never realize they have been victimized. Phishing is one of the most common forms of social engineering as it relies heavily upon social engineering to complete its goal of tricking people into acquiring information.
Phishing is the act of attempting to acquire information such as usernames, passwords, and credit card details (and sometimes, indirectly, money) by masquerading as a trustworthy entity in an electronic communication, usually email. Phishing relies upon social engineering to complete its goal.
Why Does Phishing Matter to Everyone?
- UW-System IT infrastructure is designed to protect the campus computing assets with many technical controls; however, this persuades hackers to pursue access via alternate means, often choosing to exploit the human factor.
- If an attacker can persuade you to give them your password, they can evade all the controls put in place to protect sensitive systems. Consider the value of UW-System's intellectual property and understand that your username and password is the barrier between that sensitive information and a hacker wishing to exploit it.
- Most large organizations have a phishing participation rate of around 10%. This rises when the population become the subjects of Spear Phishing, which is phishing email designed specifically for the recipient
Tricks Used By Expert Phishers
- Socially Aware Phishing Attacks are mining of information about the target from publicly available resources, such as Facebook, property records, or even CCAP, and then using that specific information as content for a phishing email. Since the information deals with unique social situations which are specific to the recipient, the email content is very believable and causes the recipient to drop their guard.
- Context Aware Phishing Attacks make reference to an activity you are likely to engage in, such as Amazon.com, or UPS package receipt. This method of phishing also convinces recipients to drop their guard and click on the link, out of concern or curiosity about the validity of the claim within the phishing email.
- Baiting is a technique in which items such as CDs or flash drives containing malicious software code, are placed in public locations. The phishers hope that people will become curious, pick up the infected media, and place it in their computer. Another example of baiting could be the embedding of malicious code within a QR code, on a printout posted to a community bulletin board, with the hope that members of the public will scan the code with their smartphone, causing a potential malware infection of the device.
Tips to Spot Social Engineering within a Phishing Attempt
- You may be asked to verify a sensitive piece of information.
- A sense of urgency is implied in the message.
- An overt or implied threat may be present.
- Flattery is used to get you to drop your guard.
- Use, and sometimes overuse of organizational knowledge is employed.
- A bribe or reward for your "help" may be offered.
How to Spot a Phish after you have Clicked on the Link
- The website address looks odd or incorrect.
- IP address shows in address bar, instead of a domain name.
- Multiple pop-ups appear on top of a legitimate website window.
- The website contains spelling or grammar errors.
- No SSL lock is present on what SHOULD be a secure site (below are good examples in each browser).
How can you Combat Dangerous Phishing Attempts?
- Never give away personal information, especially username and password. UW-System will NEVER ask for such information in a legitimate communication.
- Don't let curiosity get the best of you by convincing you to click on a link just to see what happens.
- Look for the tell-tail signs discussed above.
- Always remember, there are no situations which justify exceptions.
- If something sounds too good to be true, then it most likely is. This should serve as a sign that you may be the target of a phishing attempt.
Who to Contact for Questions/Concerns/Advice
In the past year, phishing has become more refined and focused on the individual, making much more use of socially aware and context aware attack methods. Look for this trend to continue in the coming year, along with and uptick in phone-based phishing attempts, which use fake caller ID to make the recipient believe they are receiving a call from a legitimate source.