The Download: Feature Articles
Social Engineering: What Is It and How Can You Protect Yourself
By Leila Sharma | October 11, 2022
Recognizing When They’re Trying to Trick You
You receive a phone call from your bank. The person on the other end of the line requests some personal information to clear up a problem with your account. You supply the requested information, after determining the number on your caller ID display is your bank’s number...only it turns out the call wasn’t from your bank at all. You’ve just been tricked.
This method of getting you to share personal information is known as “vishing,” or voice phishing, which is a type of social engineering attack that occurs via phone call. Remember—phishing messages use social engineering to trick you, but social engineering is not limited to email and embedded links and attachments. Although social engineering most commonly occurs in email, these attempts can also occur via phone calls, text messages, social media links or connection requests, web pop-ups, and face-to-face communication.
How Social Engineering or “Hacking the Human” works
Social engineering is a method of psychological manipulation used to trick others into divulging confidential or sensitive information or taking actions that are not in their—or NYU's—best interest. In these types of attacks, scammers seek to undermine strong technical defenses by circumventing them and seek to instead undermine your defenses by exploiting your sense of :
- familiarity with the brand, person, entity or type of request being made
- reciprocity or the natural give and take that occurs in social interactions
- commitment or dedication or the willingness to support a cause, ideas or beliefs
- social proof, or the natural inclination to provide information to a requestor and receive validation for doing so
- authority or the natural inclination to follow instructions from a higher-up
- scarcity or desire for something desirable that’s in short supply
Further, social engineers may use pretexting (masquerading as someone else), a sense of urgency, fear, empathy, curiosity, or excitement to get you to respond and act quickly.
Social engineering differs from a traditional “con” in that it can be one of many steps comprising a more complex fraud scheme—a “long con”. Many security breaches have been initiated with social engineering. For example, the recent Uber breach began with a phishing message sent to an employee by a hacker claiming to be someone from the company’s IT department. Once that employee's account got compromised, the hacker, through lateral movement and privilege escalation, gained full access to Uber’s systems.
Considered an emerging trend in social engineering for 2022, creators of "deepfakes" rely on AI (artificial intelligence) technology to manipulate people by creating credible fake images, fake videos, or fake audio recordings of real people, which all contribute to the phenomenon of “fake news.” Deepfakes have been used to commit fraud, spread disinformation, and influence outcomes.
Deepfakes often appear on social media, where messages can be posted freely and amplified by bots. For information on how to identify deepfakes, and verify facts being presented, see the NYU IT Security News & Alerts blog post, Spotting Disinformation on Social Media. For more information on other emerging social engineering trends, see the following Datamation article, Social Engineering Trends in Cybersecurity.
How social engineers select their targets
Social engineers may target you individually or as part of a group. They gather most of the information they use from social media and public-facing websites. This is why it's always advisable to limit what you share about yourself, others, and your employer online. In terms of password setup, remember that personal information that is public on Facebook, Twitter, LinkedIn, Instagram, TikTok, and other social media can reveal answers to common security challenge questions meant to protect passwords and can even be used to crack passwords and open users up to social engineering attacks. Protect your personally identifiable information, such as your mother’s maiden name, address, and date of birth.
How big of a threat do social engineering scams pose?
Colleges and Universities are prime targets for cyberattacks because of their research data, and the large amount of financial data and PII (Personally Identifiable Information). According to a 2022 Proofpoint Report, 95-98% of attacks on individuals and corporations involve social engineering, at a global cost of 1.6 billion. According to a 2021 survey conducted by Campus Technology, Higher Ed spent an average of $366,000 to recover from each attack experienced.
Safeguarding Yourself and NYU:
- Take the time to view your electronic messages carefully, even when a message appears to be from someone that you know.
- Look out for a sense of urgency, scare tactics, an unfamiliar tone or an unexpected/unusual request or news that sounds too good to be true.
- Don’t click on embedded links or open attachments that you’re not expecting to receive.
- Don’t click on file shares you were not expecting to receive, e.g., Box and Google Drive.
- If you have any doubt about the legitimacy of a message, contact the sender using a trusted means of communication.
- Be suspicious of communications on unexpected platforms or channels asking you for sensitive work or personal information.
- Be suspicious of any unusual requests for sensitive information or money, including gift cards, and verify all such requests directly with the requestor using a trusted means of communication.
- Don’t let unknown people into restricted spaces without showing or swiping the required pass or id, even when they have their hands full. Social engineers are betting you’ll put courtesy before safety and security.
- Be suspicious of callers claiming to be from government agencies who ask you to confirm or provide your sensitive information. Remember, even if a phone number looks familiar, the caller may not be who you think it is.
- Do not provide your login credentials to anyone claiming to be from NYU IT. NYU IT will never ask you for this information.
- Follow Wi-Fi best practices including the use of VPN (Virtual Private Network) to keep your personal information secure when on the go.
- Use MFA (multi-factor authentication) on all available accounts to strengthen your login.
- Disable WiFi & Bluetooth when not in use.
- Check your social media privacy settings regularly as options change, you want to be sure that your current selections match your preferences.
- Maintain a clean desk and lock your screen and secure sensitive information before stepping away.
- When traveling, keep your devices within reach and report lost or stolen NYU-owned devices to Campus Safety.
- Return all found USB drives to Campus Safety and do not attempt to connect them to a device to determine ownership.
- Explore training available on Social Engineering and other cybersecurity topics via nyu.edu/it/security/training/login.
- Explore NYU’s Safe Computing website for cybersecurity tips on a variety of topics.
- Report any known or suspected security incidents to firstname.lastname@example.org.
- Report Phishing messages received to email@example.com and do not forward suspected phishing messages to others.