A monthly Information Security publication for the WPI community.

This month focuses on SOCIAL ENGINEERING, the use of deception to get people to provide sensitive data or access to restricted areas.

Put simply, hackers recognize that it is easier to hack a human than it is to hack a machine.

In this issue: 

  • Psychology of Social Engineering
  • Social Engineering Attack Strategies & Prevention
  • Learning with Laughter
  • Lunch & Learn
  • Meet Jeff!
  • Featured Videos
  • Book Recommendation
  • Statistics and Higher Ed
  • Diversity in Cybersecurity
  • WPI Hub Resources
  • Coming Next Month...

Psychology of Social Engineering 

Cartoon of 2 people standing atop ladders, smiling and shaking hands over a wall. Under the foreground ladder is a shadow of a person about to stab someone with a knife.

Attackers do not need cutting edge technology or action movie stunts to access confidential information or restricted areas. They count on the human factor! Psychological principles that they exploit:

  • Reciprocity - People doing favors for each other.
  • Commitment and Consistency - Sticking with what's already been chosen.
  • Social Proof – Doing things that others are doing.
  • Authority - Obeying people who are perceived to have power or seniority over you.
  • Liking- People are more easily persuaded by someone who is friendly.
  • Scarcity - People are drawn to things that are perceived to be exclusive or only for a limited time.

More detailed explanations of social engineering are at:

Social Engineering Principles in Better Call Saul (WPI Hub)Social Engineering by the Colorado Department of EducationThe Impact of the Six Principles of Influence on Cybersecurity (Intuition)

Social Engineering Attack Strategies & Prevention

How Do They Attack?

  • Pretexting - pretending to be someone else
  • Baiting & Quid Pro Quo - promising to give something valuable, often in exchange for requested info or action from the victim
  • Blackmail - threatening to reveal something if the demands are not met

False Assumptions About Cyber Criminals

The attackers rely on these common misbeliefs:

  • Criminals won’t hold conversations with you.
  • Major platforms, such as Microsoft and Google, are always secure.
  • Replying to existing emails is safe.
Read more about The Future of Social Engineering: Emerging Trends and Threats (Sennovate)

Examples of Social Engineering:  

PHISHING email tries to trick someone into revealing sensitive information or making a payment. Smishing uses similar tactics in short message service (SMS) texting.  Vishing is a vocal attempt to extract information via the phone.  Spear phishing targets specific individuals using any of these methods.

PHYSICAL TACTICS are also employed, such as Credential Harvesting which gathers valid credentials to gain unauthorized access. Hoaxes trick the user into performing undesired actions, such as deleting important files to remove a virus. Invoice Scams spoof the invoice details of a genuine supplier, but change the bank account number. Tailgating attackers follow someone, who is unaware of their presence, into a restricted area.

WEBSITES lure victims through Pharming, which redirects a familiar website link to a similar, but fake, website to obtain sensitive information such as login credentials. Watering Hole Attacks use malware installed on website(s) regularly visited by an organization's members to infect their computers.

Can you spot the spoofed website in this WPI Hub article?

Protect Yourself From Spoofed Websites (WPI Hub)
Infographic from Safety Detectives titled "According to the FBI's 2020 Cybercrime Complaint Report." Text near cell phone clipart: "Number of Phishing/Vishing/Smishing/Pharming victims: 241,342." Text near gold coin clipart: "Total cost of Phishing/Vishing/Smishing/Pharming: $54,241,075." 
11 Facts + Stats on Smishing in 2023 (SafetyDetectives)

How to Combat Social Engineering: Take 5 & MFA

Modern scammers prey upon your anxiety and depend upon your instant reaction. You can outsmart them by taking five minutes to diffuse your reaction, take yourself out of “fight or flight” mode, and look at the message logically.

Does this method and individual match the usual way you would receive this type of request, perhaps job duties, course assignments, schedule changes, account updates?

Have you asked anyone else about this? Contact a co-worker or the supposed sender via a different channel - so if you received email, try chat, phone, or speaking in person.

Does an email appear to be from WPI, but [EXT] starts the Subject line? That indicates it originated outside of WPI.

Have you checked with WPI IT? 

Are you using MFA (Multi-Factor Authentication) through the Microsoft Authenticator App with number matching? It's the most secure method at this time, and prevents social engineering tricks through email codes and text messages. Taking the time to enter a number prevents "MFA Fatigue" where hackers rely on wearing you down with numerous requests until you finally just click "Allow" to clear the screen.

Learning with Laughter 

Adorable cat with big eyes and text: Could I have the root password? Meme from 9GAG.COM. 
A large, white and gray dog is laying on the floor with dark red curtain covering half of its face and torso. The curtain is labeled "Spoofed Website" and the dog is labeled, "Attacker waiting for your login credentials."  

Lunch & Learn

Join us online Thursday, September 21 from 12:10-12:50 PM to discuss Social Engineering with LeeAnn LeClerc, CISO. 

Click the link below to view the webinar recording.

Social Engineering Webinar Recording (42 minutes)

Meet Jeff!

Jeff is wearing a black shirt and glasses. He is smiling at the camera.

I'm Jeffrey Eaton, but you can call me jeaton. I joined WPI in March 2023 as the Identity Access Management Security Engineer within the Information Security department. I work remotely from Pittsburgh, PA so you won't get to see me in person much, but I'm available via Teams or Zoom to answer any account and identity related questions you may have.

Prior to WPI, I worked at Carnegie Mellon University for 25 years in a variety of roles in systems administration, software engineering, management, and then falling into the Identity and Access Management space 11 years ago. I also earned my BS in Computer Science from Carnegie Mellon. Outside of work, I'm happily married with two kids and an adorable miniature whoodle (wheaten terrier/poodle mix).

Featured Videos 

These brief videos explain social engineering.

What is Social Engineering? (<2 min)3 Traits of Social Engineering Attack (4 min)2-Factor Fake Out (<1 min)

Book Recommendation

LeeAnn LeClerc, WPI CISO, recommends The Art of Deception: Controlling the Human Element of Security by Kevin Mitnick.

WPI account holders can access the book via Gordon Library (link requires VPN if connected remotely).

The Art of Deception

The Statistics Show Social Engineering Works

Recently at WPI just a few dozen people responded to socially engineered phishing email. This resulted in disruption of access for over 150 accounts and numerous hours of IT labor to rectify.

Additional Social Engineering Stats:

- 98% of cyberattacks rely on social engineering.

- 90% of data breaches target the human element.

- Over 700 social engineering attacks per year are seen by the average organization.

- $130,000 is the average amount a company loses after a social engineering attack. The most common reasons are theft or data destruction.

Social Engineering Attacks by Splunk21 Social Engineering Statistics by Firewall Times

Cyberattacks Hit Higher Ed

On August 27, 2023, the University of Michigan needed to disconnect everything from the internet for all of their campuses the day before classes started due to a cyberattack. The attack affected all 3 campuses. Approximately 120,000 people were unable to use university resources for about 4 days.

University of Michigan Shuts Down Network After Cyberattack from BleepingComputer.comUniversity of Michigan Reconnects to Internet from Detroit Free Press

In 2022, attackers compromised 1 person's account at Deakin University and sent a smishing campaign to 10,000 students. They also downloaded the records of 47,000 current and former students.

Smishing Attack Against Deakin University - 2022

Diversity in Cybersecurity 

Dr. Kellep Charles

Dr. Kellep Charles displays a serious expression. His hair, mustache, and goatee are all closely cropped. He is wearing a black suit, white shirt, and black tie. There is a bank of servers in the background.
Dr. Kellep Charles

WPI Hub Resources:

Thwarting Technical And Social Engineering AttacksEmail Fraud: VIP Impersonation WarningExternal Email Subject Marker And Security FeaturesReport PhishingPhishing ExplainedSmishing And Vishing Explained

Coming Next Month...

Multi-Factor Authentication

   

Is there a cybersecurity topic that you would like to know more about? Please contact WPI Information Security using Get Support below.

Title

Content