Recognizing when they’re trying to trick you
By Robert Olivarez
You’ve installed anti-virus software on your computer. You don’t open unexpected email attachments from unknown senders. You’re cautious, even with attachments from people you do know. You don’t send passwords (all of which you’ve made sure are strong), credit card numbers, or any other sensitive information through email. You’ve done all that you can do to protect yourself and your online data .
Then you receive a phone call from your bank. The person on the other end of the line requests some personal information to clear a problem with your account. Only it turns out the call wasn’t from your bank at all.
You’ve just been tricked. This non-technical method of getting you to share personal information is known as “social engineering,” and is a significant security threat to individuals and organizations alike.
A Brief Definition of Social Engineering
Within the context of information security, social engineering is a method of psychological manipulation used to trick people into divulging confidential information. It is often used to gather secure information, commit fraud, or obtain system and even physical facility access.
Think of it as voice-to-voice (or even face-to-face) phishing or “human hacking.” Hackers target their victims through phishing emails; phone calls; mail and email; text messages; or by convincing someone to click a link, open an attachment, or navigate to a malicious website. By revealing secure information, the victim unknowingly provides an entrance into an otherwise protected environment for the attacker to exploit.
Social engineering differs from a traditional “con” in that it is often one of many steps comprising a more complex fraud scheme. Consequently, some high profile security infringements are initiated through social engineering.
Social Engineering Examples
Hackers frequently use social engineering to procure passwords or gain access to financial information and accounts. For example, a recent social engineering attempt that targeted a large swathe of the American public involved phone callers — routed through Washington, DC — who claimed to be from the IRS (information from the IRS on the scam is available here and here). The callers subjected victims to threats of fines, deportation, or imprisonment if they did not settle fictitious tax discrepancies on the phone by giving credit card or bank account information, or agreeing to immediately mail a check.
The calls were not, of course, from the IRS (for the record, the IRS does not contact people regarding tax matters over the phone; the agency sends consumer communications via registered mail). But the use of official sounding (though fake) titles, a Washington, DC phone number, and abusive threats by “agents” convinced many consumers they were under investigation and had to pay.
Safeguarding Yourself at NYU
Because NYU has such a large, connected population, NYU community members are frequent targets of social engineering attempts. These are most commonly sent via email; usually from senders posing as “IT Services” or “Your IT Department,” and requesting passwords and other account information. NYU will never ask you for this type of information via email. To protect yourself from such social engineering attacks, NYU Technology Security Services recommends that you use NYU Email’s built-in features to automatically filter messages from the problem sender(s) into a folder that is separate from your inbox. This will prevent you from having to see the messages every time you check your email, and will also allow you to archive and check them periodically for signs that you might need to escalate an issue to the IT Service Desk or evidence needed to start a police investigation.
Hackers are always looking for new ways to separate people from their money, and scare tactics are just one method. Some of the hallmarks of a social engineering attempt include:
- Creating a tremendous sense of urgency. If you feel like you are under pressure to make a very quick decision, be suspicious.
- Asking for information they should not have access to (such as a password) or should already know.
- Revealing news that is too good to be true. A common example is notifying you that you won a lottery, even though you never even entered it.
One Attack, Multiple Access Points
If a hacker socially engineers their way to your email password, he or she will have access to not just the contents of your email account, but new routes to attack other online accounts. Once the hacker has control of one email password, he or she can start sending email messages to contacts in your address book. The hacker can trick those email recipients into opening email from your hacked account, which then provides a vector for attacking their accounts.
The hacker can also use your email to reset and recover passwords to other accounts, including to social media profiles like Facebook and Twitter. And because many people ill-advisedly only use one password, the hacker could have access to your social media accounts as well. For instance, the impersonator can leave comments on your social media pages, potentially extending their reach to your connections, followers, and friends.
Personal information that is public on Facebook, Twitter, LinkedIn, Google+, and other social media can reveal answers to common security questions meant to protect passwords from third parties and open users to social engineering attacks. Profile information such as your mother’s maiden name, home address, date of birth can be easily harvested by a potential hacker. Additionally, the hacker can use your information to impersonate you or to try to influence you by pretending to know something about you that you assume would only be known by a friend or someone with official access to your information.
“It’s nearly impossible to detect you’ve been socially engineered,” said Daniel Cohen, head of knowledge delivery and business development for RSA’s Fraud Action group, who says malicious social engineering is one of the biggest problems for data security. “As long as there’s a conscious interface between man and machine, social engineering will always exist.”
But the more you learn, the more empowered you’ll be to recognize and thwart these attacks.
Detecting and Stopping Social Engineering Attacks
To battle social engineering techniques, know your data and how to protect it against exfiltration (unauthorized transfer of data). Malicious social engineering attacks are on the rise and branching out beyond the financial sector.
While NYU has developed Security Awareness training and ServiceLink knowledge base FAQs, these training courses can only go so far. Account holders should realize that there are people who troll social media and use other effective tools to snare and impersonate their victims, and extract information.
The simplest way to defend against social engineering attacks is to use common sense. Use secure browser settings when possible and monitor your browsing history to ensure that you recognize all of the sites listed in it. If something seems suspicious or does not feel right, it may be an attack.
If you suspect someone is trying to make you the victim of a social engineering attack, stop communication with the person. If you suspect a phone caller is a hacker, hang up. If you see signs that an online chat message appears to be from an impersonator, terminate the connection. Finally, if you receive an email from a sender you do not know and trust, delete it. Be sure to report any work-related attacks to the NYU IT Service Desk right away.
Additionally, secure your data on social networking sites. Since attackers can build an identity profile on you based on what you post, consider adopting the following best practices:
- Check the site’s support documentation and set privacy controls to restrict access to your personal data and limit the amount of personal data you publish.
- Establish and maintain connections with only people you know and trust, and review your connections often.
- Avoid displaying profile information such as “current city” and “hometown.” This information can be used to guess information about your password, and later used to reset an email account or bank PIN.
- Be careful when posting photos of yourself. Make sure the privacy settings hide photo(s) from public view.
Ultimately, if you want something kept private, the only sure way not to inadvertently disclose it online is to not post it at all.
Help and Additional Assistance
Although social engineering attempts happen frequently, exercising some precaution and skepticism goes a long way towards protecting you and your data. Remember: NYU will never ask that sensitive information be sent through email. If you receive a call or email from someone claiming to represent NYU, your bank, or another institution with which you are involved, and you are unsure whether it is genuine, call the official phone number posted on the institution’s website or on the back of your ATM or credit card (not the number that dialed you, or one that appears in a suspect email or or voice message).
If you think you have been the victim of social engineering that might have put you or your NYU identity at risk, report it by contacting the NYU IT Service Desk.