Social Engineering - Baseline & Technical IT Staff
What is Social Engineering?
Social Engineering is the practice of deceiving someone with the express intent of breaching some level of security, either personal or professional.
Social engineering techniques are considered con games which are performed by scam artists. The targets of social engineering may never realize they have been victimized. Phishing is one of the most common forms of social engineering as it relies heavily upon social engineering to complete its goal of tricking people into acquiring information. Social engineering can take the following forms:
In-Person Social Engineering
Scammers take advantage of our trust in others to carry out their in-person social engineering exploits. Piggybacking is carried out by a social engineer who attempts to ‘play the part’ or ‘look as though they belong’ in order to gain physical access to a facility. They will often spend a substantial amount of time in advance of the attack studying what type of physical controls the facility uses (such as badge access, cipher locks, or keys) to control entry doors. They may also conduct further recon activities to find empty rooms or offices, research floor plans, or even walk through a public entrance and ask to use the restroom. All of these activities are used in furtherance of one goal: to gain full access to the facility and steal information. Once the social engineer has achieved the goal of full access, the facility can now be used as a base to conduct other operations such as setting up a wireless router or connecting a laptop to an open network port.
Shoulder Surfing is a bit less involved since it’s essentially the practice of spying on the user of an electronic device in order to obtain restricted and/or sensitive information. It’s relatively easy to stand next to someone and watch as they type out a bank form or enter a pin number on an ATM.
Phone-Based Social Engineering (“Vishing”)
Social engineers will often use vishing attacks to obtain sensitive or restricted information. This technique typically involves a scammer calling someone on the phone and pretending to be a representative from a legitimate business. The end goal here is usually to trick the user into surrendering private information that may subsequently be used for identity theft. Oftentimes the social engineer will promise a monetary reward in order to incentivize the user to divulge this information.
For more information about vishing, view the following:
Text Message-Based Attacks (“SMSmishing”)
Text message attacks are now a common social engineering technique used by scammers to obtain private user information. Often the SMS (text message) will appear to come from a legitimate company informing the user that they have won a prize. It will then prompt the user to click on a link embedded in the text to claim their prize. This is similar to a standard phishing attack because once the user clicks the link, it will direct them to a landing page where they may then proceed to enter their personal information.
Phishing is the act of attempting to acquire sensitive or restricted information such as usernames, passwords, and credit card details (and sometimes, indirectly, money) by masquerading as a trustworthy entity in an electronic communication, usually email. Phishing relies upon social engineering to complete its goal.
Why Does Phishing Matter to Everyone?
- UW-Madison IT infrastructure is designed to protect the campus computing assets with many technical controls; however, this persuades hackers to pursue access via alternate means, often choosing to exploit the human factor.
- If an attacker can persuade you to give them your password, they can evade all the controls put in place to protect sensitive systems. Consider the value of UW-Madison's intellectual property and understand that your username and password is the barrier between that sensitive or restricted information and a hacker wishing to exploit it.
- Most large organizations have a phishing participation rate of around 10%. This rises when the population become the subjects of Spear Phishing, which is phishing email designed specifically for the recipient
Tricks Used By Expert Phishers
- Socially Aware Phishing Attacks are mining of information about the target from publicly available resources, such as Facebook, property records, or even CCAP, and then using that specific information as content for a phishing email. Since the information deals with unique social situations which are specific to the recipient, the email content is very believable and causes the recipient to drop their guard.
- Context Aware Phishing Attacks make reference to an activity you are likely to engage in, such as Amazon.com, or UPS package receipt. This method of phishing also convinces recipients to drop their guard and click on the link, out of concern or curiosity about the validity of the claim within the phishing email.
- Baiting is a technique in which items such as CDs or flash drives containing malicious software code, are placed in public locations. The phishers hope that people will become curious, pick up the infected media, and place it in their computer. Another example of baiting could be the embedding of malicious code within a QR code, on a printout posted to a community bulletin board, with the hope that members of the public will scan the code with their smartphone, causing a potential malware infection of the device.
Tips to Spot Social Engineering within a Phishing Attempt
- You may be asked to verify a sensitive piece of information.
- A sense of urgency is implied in the message.
- An overt or implied threat may be present.
- There are numerous and/or obvious spelling or grammatical errors contained in the message.
- Unfamiliar or suspicious images are contained in the message and could contain executable code.
- URLs are hyperlinked in phrases such as “click here” or when hovering over the URL the address is suspicious or unfamiliar.
- Flattery is used to get you to drop your guard.
- Use, and sometimes overuse of organizational knowledge is employed.
- A bribe or reward for your "help" may be offered.
How to Spot a Phish after you have Clicked on the Link
- The website address looks odd or incorrect.
- IP address shows in address bar, instead of a domain name.
- Multiple pop-ups appear on top of a legitimate website window.
- The website contains spelling or grammar errors.
- No SSL lock is present on what SHOULD be a secure site such as financial sites or sites dealing with your personal or medical data (below are good examples in each browser).
How can you Combat Dangerous Phishing Attempts?
- Never give away personal information, especially username and password. UW-Madison will rarely ask for such information in a legitimate communication.
- Hover your cursor over hyperlinks to check the URL. DO NOT click on a hyperlink until you verify whether the URL is legitimate.
- Look for the tell-tail signs discussed above.
- Always remember, there are no situations which justify exceptions.
- If something sounds too good to be true, then it most likely is. This should serve as a sign that you may be the target of a phishing attempt.
- Verify the details such as address, phone numbers, etc are correct by running an internet search.
Who to Contact for Questions/Concerns/Advice
- If you have any questions regarding sensitive or restricted data, please contact your local IT staff or the DoIT Help Desk for guidance.
- If you are ever unsure whether an email message is legitimate, DO NOT RESPOND to it or forward it to anyone! Instead, contact your local IT staff or the DoIT Help Desk and ask for advice.
- To report phishing emails that appear to be from within the UW-Madison campus, go to Report an Incident.
- To report emails that appear to be spam, forward the email to firstname.lastname@example.org. You can also submit offending email using the report spam feature within the web or desktop email client. Learn more about submitting misclassified messages.
Additional Phishing Resources:
- Fake Websites
- An eye-opening article about spoof/fake websites. Note: Check out the side-by-side images of the real and fake websites.
Social Media Best Practices
- Customize your privacy settings and think about what you share. Be careful talking about your location, and anything that you wouldn't want your work colleagues to see.
- Don’t link your social media accounts together. (e.g.: Facebook asking for access to Flickr, Instagram, etc.) One hacked account could potentially give a hacker access to all.
- Be aware online scams. Phishing also happens via social media. Clickbait, games and apps can be malicious.
In the past year, phishing has become more refined and focused on the individual, making much more use of socially aware and context aware attack methods. Look for this trend to continue in the coming year, along with and uptick in phone-based phishing attempts, which use fake caller ID to make the recipient believe they are receiving a call from a legitimate source. The FBI keeps a list of press releases regarding current internet scams.
Phishing Campaign Stats
The Office of Cybersecurity runs monthly phishing campaigns within DoIT. Below are the click-through rates by campaign. Note that the industry average is 11%, so DoIT is doing well. If you would be interested in running a phishing campaign in your department, please contact the Office of Cybersecurity @ email@example.com.
|June 2015||Facebook Password Reset Notification||3%|
|July 2015||MyAds||Ad Campaign Compensation||1.5%|
|August 2015||Flipora||Fake friend request from Stefan Wahe||4.75%|
|September 2015||Nice to Meet You||Dating website message||9.08%|
|October 2015||Amazone||Order status message from online retailer called “Amazone”||6.14%|
|November 2015||Salary Survey||Email from fictional government organization advising users about State salary changes||12.34%|
|December 2015||Wisconsin Veterans Alliance||Request for donations from fictional veterans organization||0.11%|