Don’t Let the Urgency Fool You! – Cybersecurity Introduction Part III
Published by: WCET | 2/9/2023
I’ve written a couple blog posts already introducing different aspects of cybersecurity, including a general introduction to the topic and a description of common password issues. Today I want to talk to you about a certain kind of cybersecurity threat called ‘social engineering.’ Although the word ‘hacking’ often evokes an image of complicated technological systems, the truth is that many hacks originate with the manipulation of humans, not their devices.
Social engineering is broadly described as a way of using psychological tools to manipulate users into doing things that they would not choose to do on their own, such as making them give away their credentials or download something that they do not actually want (and which often turns out to be malware). One of the most common examples of social engineering is phishing, which most people have heard of, or have experienced for themselves by now. Other examples of social engineering include things like scareware, access tailgating, and baiting. I’ll cover some examples more below.
Even before I started my master’s degree studying this topic, I’ve always felt the cyber-insecurity of protecting myself against all threats, given the immensely complicated technological systems out there. And since starting the program, I still often feel like there is far too much pressure upon the individual to protect themself against external threats. And although I love the internet – didn’t Netflix make the early days of the pandemic less agonizingly dull?! – I also have some degree of envy for generations past that did not have to deal with the never-ending battle of trying to protect themselves online. These threats are real, and whether or not we understand technology and the tools we use every day, the truth is many security threats come down to human issues rather than technological ones.
In the following paragraphs, I will describe some commons social engineering threats. I also want to convey some of the ways that users can manage these threats to defend themselves and their workplaces.
There are many types of social engineering attacks. Many of these take place on the computer, such as email phishing attacks, but social engineering can also take place elsewhere, such as over the phone or even in person. Here are some common examples:
Social engineering attacks are based on an understanding of human psychology, and social engineers prey on human weaknesses. By identifying and exploiting human vulnerabilities, hackers can find an easily accessible opening into anything from your bank account to your workplace file server.
Let’s imagine you receive an automated email that appears to come from your campus IT department. The “From” line in the email says it is from the IT department, but the sender’s email address appears slightly off from what you’ve seen before. The email says that you must click a link to reset some credentials immediately, or risk getting locked out of your account. It’s late on a Friday afternoon and you know you have more work to finish over the weekend, so while you’re not sure if any humans are still available to help you if you get locked out, you know that you need to maintain access to your accounts, so you go ahead and click the link to make sure that you can retain access.
You may not immediately realize that you’ve given away your credentials to a suspicious site that was designed to look like your actual campus IT webpage. Nonetheless, the hacker was able to gather your username and password when you typed them into the fake system. And now they will be able to use those credentials in the future until you’ve changed them (once you do notice, you should notify your IT department immediately and follow their recommendations, which will likely include changing your credentials to that account, and maybe to others).
This might seem like an obvious example. If you noticed that the email was sent from an address that looked incorrect, you are probably not likely to click on it. However, we all receive hundreds of emails per day, so if you’re not looking closely at the sender email on each message, that would be understandable. Additionally, while some phishing emails have some very obvious signs that they are fake, such as spelling errors including errors in the name of the person they are impersonating, some phishing emails are very clean and believable. What’s more, the fact that many of us do receive legitimate emails telling us to reset our passwords or to update our contact information muddies the waters because we must personally separate the real from the fake.
So, when (not if!) you receive a message such as the one in our story above, that instructs you to take action in some way, try to investigate the request with available information before acting. It’s a good rule of thumb to avoid clicking on links or opening attachments from suspicious looking messages even if you are not positive that they are in fact suspicious. Get in the habit of doing a bit of investigation before reacting to strange emails. For example, if someone has emailed to tell you to reset your bank, work, or student (etc.) account, try going directly to the login page yourself rather than clicking on their link. In that case, you might change your credentials without needing to and waste a few minutes doing so, but you won’t have given your account access to a hacker. It is also a best practice to directly email the person you think has written to you – not just replying to the email you have now, but instead writing a new email to the address from which you have communicated with them in the past.
Unfortunately, much of playing it safe online involves being suspicious of possible attacks. We tell children that they should not talk to strangers because of concerns around “stranger danger.” We should interact with people over the internet with a similar skepticism around the other persons’ intentions, not just related to issues like stalking or catfishing, but related to the risks of malware or fraud – in the workplace and in our personal lives.
However, figuring out ways to defend yourself against social engineering can be a double-edged sword. While it is important to be skeptical of those around you – both physically around you (like in the case of access tailgating) or over the internet – it’s also important to understand how this skepticism can be unnecessarily damaging to others. Security and policing threaten different groups unequally, and cybersecurity is no different. People of color are overpoliced everywhere, including on college campuses. Students and faculty who have the right to occupy a space they are in are routinely questioned unreasonably and often asked to leave buildings that they should have access to. It is important to understand the context of your situation – just because you haven’t seen someone in your building before does not mean they aren’t supposed to be there. The risks of over policing our colleagues of color could be just as, if not even more, damaging than the risks of a stranger accessing your office. To avoid interrogating your colleagues about whether they should have access to certain spaces, perhaps consider adding extra protection to materials that you want to keep secure. If your office contains a lot of sensitive information or expensive equipment, you may consider adding additional locks to store the files or tools.
To close our post today, I have one final piece of advice: be careful about how much personal data you reveal online. Although it is easy to think “well, all my personal data is already out there somewhere so why should I protect myself now?,” that’s a pretty dangerous way of thinking. It’s true that Google and other massive tech companies likely have a lot of my information. However, that does not mean that that all my data is easily accessible to hackers. Posting too many details about yourself and your accounts on social media could make your information into low hanging fruit for hackers to access. Or could help them piece together a greater scheme.
Just for fun, and in honor of the holiday, I’ve made a quirky graphic to tell you what kind of delicious (or weird) dessert you should make for Valentine’s Day. All you need to do is note down your birth date, birth month, and middle initial. Make sure to post in the comments, so we can all share in the fun! Harmless, right?
Probably. But there is some risk.
These types of graphics make the rounds on social media periodically and everyone answers in the comments with their own amusing results. But it’s important to understand that this type of activity, innocent as it seems, could be used to collect basic information about you to be used later in a hack. Consider your passwords or answers to security questions, some of which may resemble the formula for your new favorite treat. It’s probably harmless, but I think it’s best to minimize the risk. Don’t make the jobs of hackers any easier! At the very least, they should have to put in the work to hack your accounts.
Now go forth into the world. Be careful what you reveal online, be suspicious of strange communications, pause before you react to make sure you understand the truth of the situation, and please, don’t make Cold Tangy Pancakes or Flaky Pumpkin Spice Milkshakes for yourself or anyone else next week.