Letter from the CISO, Vol 2 Issue 10
Washington University Community:
I often encourage everyone to “be vigilant, skeptical, and a little paranoid,” and I usually provide a few pointers on things to watch out for and what to do when (if) you see them.
Which Half Are You In?
A recent report concluded that half of all users never receive phishing emails, while the other half receive an average of 32 per year!
I’m not particularly surprised by this, as I’ve seen that my mother gets scam phone calls in spurts. After an initial experience of engaging with a scammer on the phone for a while, she will remember to call me, at which point I will remind her that we don’t use that bank or insurance company. Then we worry about what information she may have given away.
She seems to get even more calls for the next month, with various con lines. These bad actors, known as social engineers, are looking for a way to get what seems to be a trusting (future) victim on the hook. In other words, if there’s any indication that you might bite the hook, the malicious actors will redouble their phishing efforts to reel you in.
Please understand that it isn’t your fault if you are one of the unlucky people receiving many phishing messages! These calculating social engineers trying to do bad things are to blame.
Ten Social Engineering Techniques Used by Hackers
I usually try to provide just one big thing for everyone to be aware of or do. But this month, I’m painting a more complicated picture because there are as many ways to socially engineer or con people as there are people.
The unifying theme is that social engineering attackers use human nature to their advantage in any way they can. They prey on our trust, fear, curiosity, and desire to help others.
Fortunately, the main lines of attack fall into groups or themes, explored in a recent article by Carlos Salas.
- Baiting involves using a false promise to lure you into taking the bait and doing something you wouldn’t normally do. It could be as simple as leaving an infected USB memory stick somewhere, tempting people to see what’s on it or to use it, or trying to find some indication of who to return it to. Never try to check what’s on USB devices you find; instead, deliver them to the security team so we can use special equipment to check and clean them as needed. (We’ll give them back if we can’t find the owner and can ensure they are safe.)
- Pretexting is when a fictional scenario (a pretext) is used to convince you to disclose sensitive information. For example, it could be personal information about yourself or other employees. With tax season in full swing, tax information is a common target.
- Watering holes infect an existing website or create a fake one that mimics an existing website. Attackers convince users that using these watering holes is safe, allowing them to infect targeted computers and gain access to everything on that computer and possibly the target’s work network.
- Quid pro quo takes advantage of people’s desire to play fair and reciprocate the kind behaviors of others. Attackers offer to help but to do so, they need a little information. For example, a supposed IT expert might need your login credentials to make your computer run faster.
- Scareware incorporates a sense of urgency. Many of us have seen pop-up warnings that your computer has a virus or has out-of-date software. All you need to do is click the link to buy some worthless or malicious “antivirus” software. Use an ad-blocker and reputable antivirus program, and avoid clicking on pop-ups.
- Tailgating and piggybacking are ways attackers gain access to secure or restricted areas. For instance, someone might try to tailgate you into your office or apartment building. One trick is to have both hands full with packages or coffee cups to encourage you to help with the door. In this case, you could offer to hold their packages while they get out their ID card.
- Vishing – or ‘voice phishing’ is the phone call version of an email phishing attack. The malicious actor tries to elicit information or influence someone by telephone. Avoid responding to emails or social media messages that ask for your phone number. Remember that your friends and colleagues will never call you at home asking you to transfer funds or any other sensitive information.
- Shoulder surfing happens when someone looks over your shoulder to see confidential information or watch you enter your password. Automatic Teller Machine (ATM) card skimmers can be placed over the slot for your card, capture its data as it is inserted, and video record the entry of your PIN. This allows the bad actor to clone your card and withdraw your cash using your PIN. The solution is to shield the entry of your PIN and watch for add-ons to ATMs.
- Dumpster diving can happen when you don’t shred your confidential documents before disposing of them. The social engineer can go through your trash and acquire confidential information that allows them to impersonate you with your bank and other vendors or even steal your identity.
- Deep fakes have been in the press recently. ChatGPT and other “artificial intelligences” make it relatively easy to fake the voice or video of people. This means that extra steps need to be taken to avoid falling prey to them. The easiest is to call the person back on a phone number you know to be the right one for them, just to verify the call’s authenticity. Another is to ask questions about family and personal life that require more and deeper knowledge to answer. If there are unusual delays in responding, that’s a good reason to be suspicious.
What Can You Do?
Now that you know more about these common avenues of attack, I will return to my usual message of encouraging you to be vigilant, skeptical, and a little paranoid. But now you are equipped with more information about the different ways malicious actors will try to take advantage of you.
Please also help your friends and family be wiser about these cons. If you’re reading these articles, you are more expert than most people you know!
Thank you for reading and being members of the university’s information security team.
Good luck and be careful out there!
-Chris Shull, CISO
1) Salas, Carlos, “Ten Social Engineering Techniques Used by Hackers,” 2/24/2023, https://businessplus.ie/tech/social-engineering-techniques-used-by-hackers/.