UCSB is participating in UC Cybersecurity Awareness Month (CSAM) during the month of October. The goal of CSAM is to increase system wide awareness about cybersecurity and to educate our campus community on ways to better protect yourselves and your devices from cyber-attacks. This week we will focus on social engineering

Social engineering in the context of IT security is “any act that influences a person to take actions that may or may not be in their best interest.” It is often a confidence trick performed to obtain access to systems and confidential data that can be part of a bigger scheme. It is still on the rise and is now the number one cause of security breaches. Scammers can trick people into acting before they think by putting them in an emotional state. 

Examples of social engineering tactics include: 

  • Desire to please: Pretending to be your boss or other authority figure and telling you to do something critical right away. 
  • Trust: Pretending to be a close friend or relative. 
  • Fear of scarcity: Saying offers are limited and/or will end soon. 
  • Threats to well-being: Pretending that you will lose access to critical resources, such as your bank account or paycheck. 
  • Euphoria/greed/entitlement: Saying you won something or you are getting a free gift. 

Types of social engineering attacks include: 

  • Phishing: The most common form of social engineering, phishing uses emails that appear to come from legitimate sources to trick people into providing their information or clicking on malicious links. 
  • Vishing: Uses social engineering over the telephone, sometimes with a rogue interactive voice response (IVR) system, to mimic a legitimate institution and persuade you to supply your credentials or other data. 
  • Smishing: Uses SMS text messaging to get you to divulge information or click on a malicious link. 
  • Spear Phishing: Similar to phishing, but the attacker customizes the email specifically for an individual to make the phish seem more real. They often target key employees with access to critical and/or confidential data.
  • Quid Pro Quo: Pretends to be a service provider and calls people until they find someone who actually requested or needs the service.
  • Baiting: Baiting relies on the curiosity of the victim. For example, a common baiting tactic is leaving malware-infected USB flash drives strategically lying around public areas. Once the infected flash drive is inserted into a user’s computer, malware is installed. Surrendering login credentials for free online music or movies is another offer that users often cannot resist. 

Students, staff, and faculty have all suffered losses from the disclosure of personal data and research to unauthorized parties. Knowing what you're up against can help you be more secure. 

Here are a few things you can do to guard against social engineering attacks: 

  • Limit what you share online. The less you share about yourself, the smaller the target you are for a social engineering attack. Cybercriminals use information you post online to learn how to gain your trust. 
  • Answer security questions with information that is not easily discerned. For example, if a possible security question is “What’s your brother’s name” and you’ve listed him on your Facebook page as your brother (or even got tagged in a picture by him saying “Me and my little sis”), you’ve just given away that answer to anyone who does a little research. Since websites still insist on using security questions like these, one alternative is to make up answers. You could base them on your best friend’s family, your second-favorite TV show, or another theme that’s easy to remember. You’ll still be able to answer the questions, and it’ll be harder for someone to social engineer or even guess the answers. 
  • Protect your credentials. No legitimate company or organization will ask for your username, password, or other personal information via email, phone, or text, including the University.
  • Beware of attachments. Email attachments are the most common vector for malicious software. When you get a message with an attachment, delete it unless you are expecting it and are absolutely certain it is legitimate. If you’re not sure, call the sender at a number you know is legitimate to check. 
  • Confirm identities. Phishing messages can look official. Cybercriminals steal organization and company identities, including email addresses, logos, and URLs that are similar to the links they're trying to imitate. There's nothing to stop them from impersonating the university, financial institutions, retailers, other service providers, or even someone you know. 
  • Trust your instincts. If you get a suspicious message that claims to be from an agency or service provider, use your browser to manually locate the organization online and contact them via the website, email, or telephone number that you looked up – not what was provided in the message.
  • Check the sender. Check the sender's email address. Any correspondence from an organization should come from an organizational email address.
  • Take your time. If a message states that you must act immediately or risk losing access, do not comply. 
  • Don't click links in suspicious messages. If you don't trust the email, text message, or post, don't trust the links in it either. Beware of links that are hidden by URL shorteners or text like "Click Here." They may link to a phishing site or a form designed to steal your username and password.

For more information, visit it.ucsb.edu/security and don’t forget to follow @UCSBInfoSec on Facebook, Twitter, LinkedIn, and/or Instagram, where you can find the most up-to-date information about events we’re hosting this year. And don’t forget to check out UCSB’s lineup of CSAM events this month! Students, staff, faculty, family, and friends are all encouraged to join and learn.