Social Engineering
What is social engineering?
Social engineering is an attempt to get you to do something you shouldn't do. Phishing is a common type of social engineering, but these attacks can take other forms as well. Almost any communication method (email, phone, text message, social media, letter mail) can be used for a social engineering attack. Today we will expand on the topics covered in the phishing awareness messages to cover other aspects of social engineering.
How can I identify a social engineering attack?
An attacker will often use these common tactics to try to manipulate you into taking action. They will usually appear to be someone you should trust (or be intimidated by) in relation to the requested action.
When you are contacted over any medium, watch out for these warning signs:
- Deadlines - They do not want you to think too much about what they have asked you to do, so they typically put a tight timeline on the request, typically with a consequence for not meeting the deadline.
- Negative Consequences - Often the attacker will describe some consequence for not following the directions. This could range from relatively minor things like the loss of access to your account, too much more intimidating things like the threat of the police coming to arrest you.
- Positive Consequences - They may also offer a positive motivation, some sort of prize perhaps.
- Emotional Response - The consequences above are typically designed to get you to take action based on emotion, rather than reason.
- Unexpected or Unusual Requests - If the request is out of the ordinary in any way it warrants a closer look.
- Rule Breaking - Any request for you to bypass policies or procedures, including sending data insecurely, or to someone who should not be accessing that specific data.
Can you provide some examples of social engineering?
Here are some common social engineering attacks you may have heard about in the news, or experienced yourself:
- A caller from Microsoft indicates your computer has been infected with malware, and says they need to connect to your computer to fix it.
- A caller from the Canada Revenue Agency (CRA) explains that you owe money, and unless you arrange payment immediately the local police will be sent to arrest you.
- A parent calls pretending to be their adult child, looking for information from their child's student record.
- Someone calls and tells you that you have won a prize, but you need to provide your credit card to pay for shipping.
How should I respond to a social engineering attack?
If you do suspect a social engineering attack, here is what you should do:
- Disengage- Terminate the communication. Don't give the potential attacker any further opportunity to try to manipulate or intimidate you. If you are on the phone, ask if you can call them back, or just hang up if required. Don't communicate any further until you verify the request.
- Verify - Contact the person (or organization) by phone, ideally via a number you already know, or from the organization's website. Never use a number (or URL) provided in the potential social engineering attempt. Keep in mind that the phone number that appears on your caller ID, or the sender's name and address in an email message, can be easily forged.
- Report - If this is a social engineering attack, or you need help verifying the request, report it to the appropriate help desk or security team. For AU sites the IT Help Desk is a good place to start.
Online Course
A short online course is available for faculty and staff. Please visit the Online Training Courses page for more information.
Other Resources
Join the Discussion
A Yammer group has been created for AU Team Members to discuss cybersecurity related topics. Please join the discussion.
Yammer Cybersecurity Awareness Group
Updated November 09, 2020 by Digital & Web Operations, University Relations (web_services@athabascau.ca)