Understanding and defending against social engineering threats

trudie Academic staff, IT News, StirCyberSec

Welcome to the newest installment of our ongoing cyber security campaign. View the previous posts in the series:

October 2023 – Introduction to Cyber Security

November 2023 – Types of Cyber Security Threats

This month we’re focusing on social engineering: what it is, why it’s a cyber security problem, and how you can protect yourself and the University from this type of threat.

Social engineering

This is a tactic used by cyber criminals to manipulate individuals into performing actions or divulging confidential information. It uses sophisticated principles of human psychology and behaviour rather than exploiting technical vulnerabilities. The University is a prime target for this type of attack because we house large amounts of a great variety of data, so a successful attack could be highly rewarding for cyber criminals.

Social engineering takes various forms, but fundamentally they are all designed to exploit different aspects of your hardwired human behaviour by building trust, taking advantage of human error, luring you with prospective rewards or creating a sense of urgency. Common types of social engineering attacks include:

  • Phishing is the most common social engineering attack, in which cyber criminals send fraudulent emails or messages that appear to be from a legitimate, trusted source, such as your bank or a social media platform you use. These messages will often contain links to spoofed websites, designed to trick you into entering your login details or other sensitive information. They may also contain attachments with malware (malicious software) hidden within.
  • Pretexting involves an attacker creating a false pretext or scenario to trick you into divulging sensitive information. This could involve posing as a colleague, a contact from another organisation, a customer service representative, or even a friend to gain your trust and trick you into providing information or downloading malware.
  • Baiting is a technique that involves criminals offering an enticement to lure you into compromising your security. An unsolicited email, for instance, might offer a free gift card or prize in exchange for your personal details or login credentials.
  • Tailgating is a physical security risk rather than a digital one. Tailgating occurs when an unauthorised person follows someone with legitimate access into a secured area. It can feel natural to hold the door for someone behind you, and it can be awkward to confront people demanding they prove they have authorisation to access a space. Cyber criminals can exploit this feature of human behaviour to gain physical access to sensitive data or systems.

Practical tips to protect yourself and the University

  • Vigilance about suspected phishing attempts is crucial. Phishing attacks are by far the most common type of cyber threat faced by higher education institutions, with a recent survey showing 100% of HE institutions had identified phishing attacks within the previous 12 months.
  • Exercise caution with all links and attachments. Be suspicious of unsolicited emails and Teams messages, and do not download attachments from unknown or unverified senders.
  • Use your mouse to hover over links to see where they lead. If it’s an unexpected URL don’t click it; you can use a search engine instead to find ‘Facebook customer service’ or ‘Microsoft account management’, and your results there are more likely to be benign.
  • Don’t fall prey to a sender’s urgency. Give yourself time to consider your suspicions, and if possible verify the sender’s identity in an alternative way, by sending a new email to a known address, calling a known phone number, or using a search engine to verify a sender’s organisation and contact details.
  • Maintain a healthy suspicion of anything you receive that seems too good to be true. Find an alternative way to verify information about unexpected prizes, unsolicited requests and urgent calls for action.
  • Treat USB drives with caution, as they can contain malware that can be installed anywhere they’re connected.
  • Protect your personal data and financial information just as you protect your physical belongings. You likely lock the door to your home or vehicle, and you likely store your valuables out of sight and reach of criminals. Your data and the University’s data should be similarly secure.
  • If you’re accessing a secure or restricted physical space where a criminal could gain an advantage, don’t be afraid to confront someone to verify their identity or access privileges.

Report suspicious incidents and communications

  • Report any suspicious communications to: askIT@stir.ac.uk
  • Flag all suspected phishing emails through the Report function in Outlook:

Complete your Cyber Security Training

The most important defense against social engineering attacks is awareness. Raise yours by taking part in the free training available to all staff and students through the Metacompliance app, accessible directly here: https://universityofstirling.metacompliance.com/

Or through Teams along the left-hand side navigation bar:

If you want to see a dramatisation of a social engineering attack in action, take a look at this video, Anatomy of an Attack: Inside the Mind of a Hacker Social Engineering Inside the Mind of a Hacker – YouTube

Let’s work together to prevent the loss or theft of valuable data.