PERSPECTIVES FROM THE CAMPUS

One of the strengths of Indiana is that we bring together a variety of perspectives from the plethora of areas that touch the field of cyber, especially through the colleges, universities, and other institutions of higher education throughout our state. Hence the name "Perspectives From the Campus Series”, we invite experts -- immersed in the pursuit of educating their students -- to offer their knowledge for finding solutions in cybersecurity that benefit all Hoosiers.

In the latest installment of this series, David Dungan, who serves as the Executive Director at the Center for Security Services and Cyber Defense at Anderson University, shares his knowledge and expertise on how social engineering has evolved and the steps you can take to avoid it.   

By David Dungan

Social Engineering manipulates people into doing one’s own bidding, likely by performing a specific task or giving up sensitive information. The attacker’s plan tends to follow a guideline of gathering information about the victim, establishing a relationship with the victim, exploiting the victim to do the attacker’s bidding, and then the attacker moves on to accomplishing their goal.

Before the Technology

Many reference the story of how the Greeks infiltrated Troy using the Trojan Horse or the biblical story of the snake tricking Eve as proof of social engineering.

However, the introduction of technology such as phones and computers has made this process easier by eliminating human interaction and allowing individuals to trick automated authentication processes.

Forms of Technology Exploitation

Phones were one of the first techniques to make the practice of social engineering easier through the removal of face-to-face interactions.Vishing is the process of social engineering using phones. Attackers will pose as individuals, such as a bank official, and will call or leave a voicemail message to lure the victim into sending sensitive information through social engineering. Smishing is another way attackers can socially engineer mass quantities of individuals through sending texts, posing as authentic entities with malicious links.

What's more, it's become a (very) big issue, as the Federal Trade Commission says nearly 200,000 people have been targeted this year alone. And, last year, people lost a total of $2.6 billion to imposter scams.

Phishing can target numerous individuals at once through a mass email. Phishing is where an attacker attempts to convince a victim into divulging information, such as tricking someone into thinking they won the lottery and need to provide sensitive information to claim their prize; or attackers may urge an individual to download malware onto their computer, masking the download as an important file or update.

Social Media

Social Media has made it easier to social engineer individuals through the collection of information on victims, different mechanisms to attack, and attackers being able to exploit a broader audience.

Many individuals often leave a digital footprint on social media, disclosing information such as their full name, city, country, birthday, etc. Attackers can use this information while researching a victim.

Additionally, attackers can harvest data by creating fake log-in pages for social media, collecting the victim’s username and password.

The Future of Social Engineering

Mitnick Security predicts deepfakes will be the newest technology to trick victims into giving up information by faking audio and video of real individuals. Additionally, they predict attackers will leverage social media credentials since numerous web applications will allow individuals to verify themselves through social media authentication measures.

We can protect ourselves against social engineering by not giving out personal information to unsolicited requests, not sharing information with individuals we do not know and trust, or on untrustworthy platforms. If you are skeptical of the legitimacy of a message, such as if the message were from the company it claims to be from, contact the company yourself and do not reply to the message. Similarly, do not open emails or text messages that do not seem legitimate or click on links or attachments in those emails/text messages.

Experts recommend if someone clicks on a malicious link or divulges personal information, they should notify the IT team (if applicable), disconnect the device from their network, change their passwords, scan the networks for malware, notify credit agencies of potential fraud, check for identity theft on bank statements and other financial statements, and contact the agency the attacker imitated to inform them of the incident.

Overall, social engineering is based on the same principles, just carried out through different means. It is meant to take advantage of the vulnerabilities of humans. Therefore, we need to consider the humans behind the computers when protecting against attacks through comprehensive user training and using spam filters whenever possible to prevent human contact with social engineering tactics. To learn more, the Cybersecurity and Infrastructure Security Agency (CISA) is a great resource that’ll help you make sense of it all, and better protect yourself against these types of attacks.