I’ve written a couple blog posts already introducing different aspects of cybersecurity, including a general introduction to the topic and a description of common password issues. Today I want to talk to you about a certain kind of cybersecurity threat called ‘social engineering.’ Although the word ‘hacking’ often evokes an image of complicated technological systems, the truth is that many hacks originate with the manipulation of humans, not their devices.

Social Engineering

Social engineering is broadly described as a way of using psychological tools to manipulate users into doing things that they would not choose to do on their own, such as making them give away their credentials or download something that they do not actually want (and which often turns out to be malware). One of the most common examples of social engineering is phishing, which most people have heard of, or have experienced for themselves by now. Other examples of social engineering include things like scareware, access tailgating, and baiting. I’ll cover some examples more below.

Even before I started my master’s degree studying this topic, I’ve always felt the cyber-insecurity of protecting myself against all threats, given the immensely complicated technological systems out there. And since starting the program, I still often feel like there is far too much pressure upon the individual to protect themself against external threats. And although I love the internet – didn’t Netflix make the early days of the pandemic less agonizingly dull?! – I also have some degree of envy for generations past that did not have to deal with the never-ending battle of trying to protect themselves online. These threats are real, and whether or not we understand technology and the tools we use every day, the truth is many security threats come down to human issues rather than technological ones.

In the following paragraphs, I will describe some commons social engineering threats. I also want to convey some of the ways that users can manage these threats to defend themselves and their workplaces.

Online, In-Person, Over the Phone

There are many types of social engineering attacks. Many of these take place on the computer, such as email phishing attacks, but social engineering can also take place elsewhere, such as over the phone or even in person. Here are some common examples:

Photo of a person using a keycard to gain entry into a secure building.
  • Email phishing – when a fake email is designed to look like it comes from a legitimate organization and asks you to engage in some way. Phishing attempts are often sent to many people with generic presets. There is minimal effort on behalf of the “social engineer,” whose goal is to find occasional success because they have contacted a high number of people.
  • Spear phishing – similar to regular email phishing but is instead sent to a small group of people or single person, and the message is tailored specifically to them. More effort required on the part of the social engineer, but with greater potential for payout.
  • Smishing – phishing over SMS text messages.
  • Tech support scams – infected websites popup information telling you that your computer is infected with malware and that you can get help by contacting a certain number or clicking a link where they will help you, but ultimately, they ask for money for the ‘fix.’
  • Trojan – items that are pretending to be something that they are not. For example, an innocent-seeming email attachment that actually downloads malware to a user’s computer, which will allow easy entry for hackers to access the device.
  • Scareware – pop-ups or email that are designed to scare you into taking fast action against a threat. If you are anxious about potential threats, you may be less likely to verify whether the message you see is true. Scareware might come in the form of a message telling you that you have a virus and you must act now (“Click this link”) to protect yourself.
  • Pretexting – a type of social engineering which might be used in conjunction with other methods, such as phishing. Pretexting uses legitimate information about the victim to form a legitimate-seeming call to action. If the hacker knows the bank you use or knows that you have student loans or knows which health insurance you use, they can use that information to try to contact you with a more believable story to try to get you to engage.
  • Access tailgating – a live and in-person version of social engineering where a person trying to gain entry to a building that requires keycard access may try to slip in behind someone else entering the building. The threat actor may say they have forgotten their keycard and ask to be let in, or alternatively they may have their hands full and ask someone nearby to get the door for them.

Social engineering attacks are based on an understanding of human psychology, and social engineers prey on human weaknesses. By identifying and exploiting human vulnerabilities, hackers can find an easily accessible opening into anything from your bank account to your workplace file server.

An All Too Common Scenario

Let’s imagine you receive an automated email that appears to come from your campus IT department. The “From” line in the email says it is from the IT department, but the sender’s email address appears slightly off from what you’ve seen before. The email says that you must click a link to reset some credentials immediately, or risk getting locked out of your account. It’s late on a Friday afternoon and you know you have more work to finish over the weekend, so while you’re not sure if any humans are still available to help you if you get locked out, you know that you need to maintain access to your accounts, so you go ahead and click the link to make sure that you can retain access.

graphic of a paper with "username" and "password" fields held up by a metal fishing hook.

You may not immediately realize that you’ve given away your credentials to a suspicious site that was designed to look like your actual campus IT webpage. Nonetheless, the hacker was able to gather your username and password when you typed them into the fake system. And now they will be able to use those credentials in the future until you’ve changed them (once you do notice, you should notify your IT department immediately and follow their recommendations, which will likely include changing your credentials to that account, and maybe to others).

This might seem like an obvious example. If you noticed that the email was sent from an address that looked incorrect, you are probably not likely to click on it. However, we all receive hundreds of emails per day, so if you’re not looking closely at the sender email on each message, that would be understandable. Additionally, while some phishing emails have some very obvious signs that they are fake, such as spelling errors including errors in the name of the person they are impersonating, some phishing emails are very clean and believable. What’s more, the fact that many of us do receive legitimate emails telling us to reset our passwords or to update our contact information muddies the waters because we must personally separate the real from the fake.

What to Do, What to Do?

So, when (not if!) you receive a message such as the one in our story above, that instructs you to take action in some way, try to investigate the request with available information before acting. It’s a good rule of thumb to avoid clicking on links or opening attachments from suspicious looking messages even if you are not positive that they are in fact suspicious. Get in the habit of doing a bit of investigation before reacting to strange emails. For example, if someone has emailed to tell you to reset your bank, work, or student (etc.) account, try going directly to the login page yourself rather than clicking on their link. In that case, you might change your credentials without needing to and waste a few minutes doing so, but you won’t have given your account access to a hacker. It is also a best practice to directly email the person you think has written to you – not just replying to the email you have now, but instead writing a new email to the address from which you have communicated with them in the past.  

Be Suspicious – But Not Too Suspicious

Unfortunately, much of playing it safe online involves being suspicious of possible attacks. We tell children that they should not talk to strangers because of concerns around “stranger danger.” We should interact with people over the internet with a similar skepticism around the other persons’ intentions, not just related to issues like stalking or catfishing, but related to the risks of malware or fraud – in the workplace and in our personal lives.

However, figuring out ways to defend yourself against social engineering can be a double-edged sword. While it is important to be skeptical of those around you – both physically around you (like in the case of access tailgating) or over the internet – it’s also important to understand how this skepticism can be unnecessarily damaging to others. Security and policing threaten different groups unequally, and cybersecurity is no different. People of color are overpoliced everywhere, including on college campuses. Students and faculty who have the right to occupy a space they are in are routinely questioned unreasonably and often asked to leave buildings that they should have access to. It is important to understand the context of your situation – just because you haven’t seen someone in your building before does not mean they aren’t supposed to be there. The risks of over policing our colleagues of color could be just as, if not even more, damaging than the risks of a stranger accessing your office. To avoid interrogating your colleagues about whether they should have access to certain spaces, perhaps consider adding extra protection to materials that you want to keep secure. If your office contains a lot of sensitive information or expensive equipment, you may consider adding additional locks to store the files or tools.

Limit the Data You Share Online

To close our post today, I have one final piece of advice: be careful about how much personal data you reveal online. Although it is easy to think “well, all my personal data is already out there somewhere so why should I protect myself now?,” that’s a pretty dangerous way of thinking. It’s true that Google and other massive tech companies likely have a lot of my information. However, that does not mean that that all my data is easily accessible to hackers. Posting too many details about yourself and your accounts on social media could make your information into low hanging fruit for hackers to access. Or could help them piece together a greater scheme.

A graphic showing different descriptions of desserts and dessert flavors based on the birth date, middle initial, and birth month of the reader. For example, birth date of 27, middle initial of R, and birth month of April, would mean that you should make a Buttery Caramel Pudding for Valentines Day.

Just for fun, and in honor of the holiday, I’ve made a quirky graphic to tell you what kind of delicious (or weird) dessert you should make for Valentine’s Day. All you need to do is note down your birth date, birth month, and middle initial. Make sure to post in the comments, so we can all share in the fun! Harmless, right?

Probably. But there is some risk.

These types of graphics make the rounds on social media periodically and everyone answers in the comments with their own amusing results. But it’s important to understand that this type of activity, innocent as it seems, could be used to collect basic information about you to be used later in a hack. Consider your passwords or answers to security questions, some of which may resemble the formula for your new favorite treat. It’s probably harmless, but I think it’s best to minimize the risk. Don’t make the jobs of hackers any easier! At the very least, they should have to put in the work to hack your accounts.

Now go forth into the world. Be careful what you reveal online, be suspicious of strange communications, pause before you react to make sure you understand the truth of the situation, and please, don’t make Cold Tangy Pancakes or Flaky Pumpkin Spice Milkshakes for yourself or anyone else next week.


Rosa Calabrese

Senior Manager, Digital Design, WCET


303-541-0219

rcalabrese@wiche.edu

Subscribe

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

Join 2,358 other subscribers

Archive By Month

Blog Tags

Distance Education (314)Student Success (292)Online Learning (228)Managing Digital Learning (218)State Authorization (212)WCET (211)U.S. Department of Education (202)Regulation (195)Technology (166)Digital Learning (149)Innovation (125)Teaching (120)Collaboration/Community (114)WCET Annual Meeting (105)Course Design (103)Access (97)Professional Development (97)Faculty (88)Cost of Instruction (88)SAN (86)Financial Aid (84)Legislation (83)Completion (74)Assessment (69)Instructional Design (68)Open Educational Resources (66)Accreditation (64)COVID-19 (64)SARA (64)Accessibility (62)Credentials (62)Professional Licensure (62)Quality (62)Competency-based Education (61)Data and Analytics (60)Research (58)Diversity/Equity/Inclusion (56)Reciprocity (55)WOW Award (51)Outcomes (47)Workforce/Employment (45)Regular and Substantive Interaction (43)Policy (42)Higher Education Act (41)Negotiated Rulemaking (39)Virtual/Augmented Reality (37)Title IV (36)Practice (35)Academic Integrity (34)Disaster Planning/Recovery (34)Leadership (34)WCET Awards (30)Every Learner Everywhere (29)IPEDS (28)Adaptive/Personalized Learning (28)Reauthorization (28)Military and Veterans (27)State Authorization Network (27)Survey (27)Credits (26)Disabilities (25)MOOC (23)WCET Summit (23)Evaluation (22)Retention (21)Enrollment (21)Complaint Process (20)Artificial Intelligence (19)Correspondence Course (18)Physical Presence (17)WICHE (17)Cybersecurity (16)Member-Only (16)Products and Services (16)Forprofit Universities (15)WCET Webcast (15)Blended/Hybrid Learning (14)System/Consortia (14)Digital Divide (14)NCOER (14)Textbooks (14)Mobile Learning (13)Consortia (13)Personalized Learning (12)Futures (11)Marketing (11)Privacy (11)STEM (11)Prior Learning Assessment (10)Courseware (10)Teacher Prep (10)Social Media (9)LMS (9)Rankings (9)Standards (8)Student Authentication (8)Partnership (8)Tuition and Fees (7)Readiness and Developmental Courses (7)What's Next (7)International Students (6)K-12 (6)Lab Courses (6)Nursing (6)Remote Learning (6)Testing (6)Graduation (6)Proctoring (5)Closer Conversation (5)ROI (5)DETA (5)Game-based/Gamification (5)Dual Enrollment (4)Outsourcing (4)Coding (4)Security (4)Higher Education Trends (4)Mental Health (4)Fall and Beyond Series (3)In a Time of Crisis (3)Net Neutrality (3)Universal Design for Learning (3)Cheating Syndicates Series (3)ChatGPT (3)Enrollment Shift (3)Nontraditional Learners (2)Student Identity Verification (2)Cross Skilling/Reskilling (2)Higher Education (2)Title IX (1)Virtual Summit (1)Business of Higher Education (1)OPMs (1)Department of Education (1)Third-Party Servicers (1)microcredentials (1)Minority Serving Institution (1)