April News from Information SecurityThe topic for April is about other types of scams used to try and manipulate people in addition to typical phishing emails.
Cybercriminals use social engineering—manipulating people into doing what they want—as the most common way to steal information and money. Social engineering is at the heart of all types of phishing attacks—those conducted via email, SMS, and phone calls. Technology makes these sorts of attacks easy and very low risk for the attacker. Make sure you’re on the lookout for these variants on the traditional, mass emailed phishing attack we’ve come to know so well over the past few weeks:
- Spear phishing: This kind of attack involves often very well-crafted messages that come from what looks like a trusted VIP source, often in a hurry, targeting those who can conduct financial transactions on behalf of your organization (sometimes called “whaling”). These attacks are planned in advance by examining the website of the organization and gathering as much information about the organization structure as possible, to find people likely able to authorize financial transactions.
- SMiShing: Literally, phishing attacks via SMS, these scams attempt to trick users into supplying content or clicking on links in SMS messages on their mobile devices. Flaws in how caller ID and phone number verification work make this an increasingly popular attack that is hard to stop.
- Vishing: Voice phishing, these are calls from attackers claiming to be government agencies such as the IRS, software vendors like Microsoft, or services offering to help with benefits or credit card rates. Attackers will often appear to be calling from a local number close to yours. As with SMiShing, flaws in how caller ID and phone number verification work make this a dangerous attack vector.
- One particularly prominent version of a vishing attack involves a call, from a number that looks local, where a recorded voice will claim to be in “their employment office” on “a recorded line”. The “on a recorded line” part is is a major red flag. The next question is usually some variation of “Can you here me?”. This is the second major red flag. There is much discussion as to what happens if you simply answer “yes” to this question. Some say that the scammers will use that recorded “yes” to claim you authorized charges against your credit card or cellular phone bill or other account. Others say it doesn’t matter and the next thing that will happen is you will be bombarded with offers for all kinds of products and services, the “yes” being an acknowledgement that it is OK for you to receive these offers. Either way, its best to simply hang up and for good measure, block the number or, if your carrier and phone allow, report the call.
No matter the medium, follow these techniques to help prevent getting tricked by these social engineering attacks:
- Don’t react to scare tactics: All of these attacks depend on scaring the recipient, such as with a lawsuit, that their computer is full of viruses, or that they might miss out on a chance at a great interest rate. Don’t fall for it!
- Verify contacts independently: Financial transactions should always follow a defined set of procedures, which includes a way to verify legitimacy outside email or an inbound phone call. Legitimate companies and service providers will give you a real business address and a way for you to contact them back, which you can independently verify on a company website, support line, etc. Don’t trust people who contact you out of the blue claiming to represent your company. If you have any doubt about the email, go to the company website directly, don’t click on links in the email! If there is an issue with your bank or other service, there will be a way to verify that, either via internal messaging on the website, or a phone number, again, NOT the number in the message! Find the number on the company website, reached by going directly to in in your browser.
- Know the signs: Does the message/phone call start with a vague information, a generic company name like “card services,” an urgent request, and/or an offer that seems impossibly good? Hang up or click that delete button!
The content above is provided by the Awareness and Training Working Group of the EDUCAUSE Higher Education Information Security Council.
Be on the lookout for new security awareness posters in the residence halls and other locations on campus in April. There will be a table in Krannert toward the end of the month. There will be another chance to win a prize at the table in Krannert.
