Social Engineering
What is Social Engineering?
Bad actors use social engineering tactics to try and convince their victims to provide sensitive or personal information, such as bank account information, or to persuade their victims into sending them money or other resources. Social engineering can be acted out via email, text messages, and even via face-to-face interactions.
Types of Social Engineering Attacks
- Ransomware is a type of attack where bad actors gain access to your information, and prevent you from accessing it, asking for money in exchange for its safe return and/or to prevent it from being shared. These attacks utilize malicious software, and often encrypt your data. Bitcoin is often requested as a method of payment.
- Email impersonation or spoofing is a forgery of a message, so it appears to have originated from a legitimate sender. This is a popular tactic by attackers as the recipient is more likely to open a message from a familiar source. These attacks often turn into gift card scams, where the attacker influences the individual to buy gift cards.
- Vishing is a type of social engineering attempt that takes place over the phone. A random number or spoofed phone number calls and a bad actor attempts to collect valuable personal information by claiming they are a debt collector or other type of customer service representative.
Social Engineering in Person
Tailgating involves following authorized persons into locked or guarded locations.
Shoulder-surfing is when bad actors look over your shoulder at your screen, hoping to see sensitive information on your device.
Dumpster-diving involves digging through discarded paperwork and other garbage to gain insight into a victim's information.
Pre-texting is a tactic involving creating false stories to gain the trust of potential victims. Baiting, a similar tactic, involves promises to entice a victim into a certain behavior.
How to tell
Social Engineering is about persuasion. Bad actors use tactics such as urgency or other emotional manipulation tactics to convince their victims to act.
- Bad actors don鈥檛 only prey on their victims' fear, but also their good nature. For example, in a social engineering attack where an adversary needs to access a physical space, they may prey on someone鈥檚 willingness to help by convincing them that they lost their staff ID or counting on an employee to hold the door to restricted spaces open for them.
- Pay close attention to who sent an email and what they are asking. Would a dean typically reach out to you requesting you complete a task? Would your manager request your cell phone number?
What to do
- Bad actors leverage national events and holidays, posing as reliable news sources. Avoid this by confirming the sender's address of any vital information, and always verifying sources of news.
- Remain suspicious of any unsolicited messages, especially ones which ask you to provide personal information or complete tasks such as purchasing gift cards.
- If you have reason to believe that an email is suspicious or if you accidentally fall victim to a social engineering email or text, report it to security@ohio.edu.