The Office of Information Security continuously works to protect our community from a wide variety of phishing activity and other security threats. Currently, the majority of the phishing threats we see involve some form of social engineering.
What is social engineering?
Social engineering attempts to manipulate people by exploiting psychology and emotions such as fear, uncertainty, and even trust. Whatever the manipulation, the goal is always the same—tricking unsuspecting victims into sending money or offering up personal and confidential information.
These types of attacks are especially common during times of upheaval and uncertainty, such as natural disasters, pandemics, and economic volatility. Attackers see crises as opportunities to prey upon their victims. Recently, our office has seen an increase in the number of attacks exploiting fears surrounding the COVID-19 pandemic.
Although these scams may hop from one crisis to another, the tactics often remain the same—exploiting emotion to manipulate victims.
What are attackers exploiting with social engineering campaigns?
In these types of attacks, the criminal relies on tactics involving psychological and emotional manipulation in hopes of building enough credibility with the victim that they feel comfortable handing over personal details or resources to the attacker.
Commonly, attackers play to their victims’ fears and anxieties, and they may attempt to exploit the trust between their victim and whomever the attacker is pretending to be. For example, a victim may receive an urgent request to purchase a gift card for someone posing as their boss, friend, or relative. The attacker intends to exploit the victim’s trust in this relationship as well as their fears about the consequences of inaction.
What are some common social engineering strategies?
- Phishing: The fraudulent practice of sending emails purporting to be from reputable companies in order to induce individuals to reveal personal information such as passwords and credit card numbers
- Vishing: Also known as “voice phishing,” these are calls from attackers claiming to be government agencies such as the IRS, software vendors like Microsoft, or services offering to help with benefits or credit card rates. Attackers will often appear to be calling from local or legitimate phone numbers. Flaws in how caller ID and phone number verification work make this an increasingly popular attack that is hard to stop.
- SMiShing: SMiSing refers to phishing attacks via SMS. These scams attempt to trick users into supplying content or clicking on links in SMS messages on their mobile devices. As with vishing, flaws in how caller ID and phone number verification work make this an increasingly popular attack that is hard to stop.
- Spoofing: Disguising the source of a communication by making it appear to come from a known and reliable sender. Email addresses, phone numbers, and websites are commonly “spoofed.”
How can I protect myself from social engineering scams?
Because social engineering often plays to fears to induce quick action, one of the best ways to protect yourself is to remain calm when you receive a supposedly urgent or dire request. Slow down and exercise a high degree of skepticism when evaluating the message. The same good habits for avoiding phishing also apply here.
- Don’t click.
Instead of clicking on any link in a suspicious email, type in the URL, or do a search on wustl.edu for the relevant department or page. Even though a website and/or URL in an email looks real, criminals can mask its true destination.
- Keep your information private.
Never give out your passwords, credit card information, Social Security number, or other private information through email.
- Know what’s happening.
- Pick up the phone.
If you have any reason to think that a department or organization really needs to hear from you, call them to verify any request for personal or sensitive information. Emails that say “urgent!”, use pressure tactics or prey on fear are especially suspect. Do an online search for a contact phone number or use the contact number published in the WUSTL directory.
- Use secure websites.
Always check if you are on a secure website before giving out private information. You can determine whether a website is secure by looking for the “https:” rather than just “http:” in the Web address bar or for the small lock icon in the Internet browser.
- Pay attention to security prompts.
If your browser cannot validate the authenticity of the website’s security certificate, you will be prompted. This is frequently a telltale sign of fraud, and it would be a good time to pick up the phone or report a suspicious message.
- Keep track of your data.
Regularly log onto your online accounts and make sure that all your transactions are legitimate.
If you are a victim of an email scam, report it to your IT department, the ISO, or HIPAA Privacy Office.
- Review your account statements.
- Reset any account passwords that may have been compromised.
What should I do if I believe I am being targeted by a social engineering scam?
If you think you are being targeted by a social engineering scam or any other suspected phishing attempt, please do not click on any links or download any files. Simply forward the e-mail to firstname.lastname@example.org and delete the e-mail from your inbox.
If you have additional questions or concerns, please reach out to us at the Office of Information Security at email@example.com . We appreciate all that you do to keep our university secure.