Week 5: Social Engineering

Social Engineering is the most influential type of cyber attack. Unlike more technical and involved attacks, social engineering attacks are easier to perform and more successful. Humans are the weakest link. We react in a way that is imperfect or rushed, usually acting on emotions rather than pausing to examine the request. We can trust, but we must learn to scrutinize requests or offers. If you are unsure of the authenticity of an email, phone call, or notification; you should learn more about the contact, or verify authenticity through a secondary channel by phone call or sending an email to security@uic.edu, for example.

Just like playing cards with opponents at the table where fellow players are trying to socially engineer you into losing the game so they win all of the money, bad actors try to persuade you to give up access to your account. Intimidation with an urgent request, posing as an expert Microsoft Window consultant, or asking for charity are just some examples of how bad actors use social engineering to trick their targets. Sometimes we may believe we’ve been dealt the better hand, such as a lucrative job offer, yet it’s just an elaborate ponzi scheme designed to steal your funds. Remember, if it sounds too good to be true, it couldn’t be sustainable — it’s probably fake.

Lastly, beware of responding to unsolicited emails, as they may be masked social engineering attacks. Replying to malicious mass-emails verifies active accounts and potential victims. For an unsolicited call, don’t say anything if a caller starts the call asking, “Can you hear me?” This is a common tactic for bad actors to record you saying, “Yes.” Bad actors record your “yes” response to use as proof that you agreed to a phony purchase or credit card charge. Instead, respond with something that is neither, “Yes” or “No”; such as, “Hello, how can I help you?” or another question that would seek a human response.

To successfully protect ourselves and each other from social engineering, we should practice secure habits daily until it becomes second nature.

  Some of the ways in which you can protect yourself from social engineering cyber attacks:

  • Don’t give in to pressure to take immediate action by providing sensitive information or access to your accounts or devices.
  • Change all weak passwords, as these are guessable via public search analytics.
  • Scrutinize all forms of contact — add trusted contacts and screen unknown contacts.
  • Verify suspicious emails through a secondary channel such as face-to-face, instant message, or phone call.
  • Research and report questionable voicemails — social defense defeats social engineering.
  • Reduce the success of social engineering attacks by posting and reporting.
  • Don’t provide your credit card number, bank account information, or other personal information to a caller or through email.
  • Never send money if the caller asks you to wire money.
  • Never cash a check you’ve received to purchase supplies or giftcards for the fraudster — your bank will hold you accountable for the cash value after they fail to receive funds from the fraudster’s account.
  • When in doubt email security@uic.edu or contact your IT department.

Now that you have a better understanding about the risks of Social Engineering Cyber Attacks, you are better prepared to combat them. You won’t easily be tricked by false job offers, fraudulent payment requests or fake lawsuits from overdue bills that don’t exist. Reduce the success of social engineering attacks. Never trust your fellow players!