Social Engineering Attacks

The Office of Information Resources and Technology (OIRT) wants to urgently address a critical concern affecting your and our online safety: social engineering attacks. These sophisticated tactics are used by cybercriminals to manipulate individuals into divulging confidential information or making unauthorized transactions.

Detailed Concerns

1. Conversation Hijacking
   • What Happens: Cybercriminals gain unauthorized access to digital conversations (emails, messaging apps) to gather personal or business information.
   • Risk: Using the information gained, these attackers craft highly personalized and convincing messages, often requesting money transfers under the guise of legitimate requests.
   • Example: An attacker could intercept an ongoing project discussion and later impersonate a trusted colleague, requesting urgent fund transfers for supposed project expenses.

2. Business Email Compromise (BEC)
   • What Happens: Attackers impersonate high-ranking officials or trusted sources to deceive faculty, staff, or students into executing financial transactions.
   • Risk: Typically involves requests for transferring funds via gift cards or wire transfers to fraudulent accounts.
   • Example: An email seemingly from a department head asking an employee to purchase gift cards and send back the scratch codes supposedly for client gifts.

3. Extortion
   • What Happens: Threats to expose sensitive, confidential, or embarrassing information unless a ransom is paid.
   • Risk: Compromises personal and institutional integrity and may lead to significant financial losses if not addressed.
   • Example: An attacker threatens to release compromised personal photos or emails unless they receive a specified amount in cryptocurrency.

4. Password Reuse
   • What Happens: Using the same password across multiple platforms and sites.
   • Risk: If one account is breached, attackers can potentially access other accounts, leveraging the same credentials.
   • Example: A breached social media account password being used to attempt access to a university email system.

Recommended Remediations

1. Double-Check Requests
   • Action: Always verify the authenticity of requests for sensitive information or financial transactions by contacting the requester directly using a known and trusted method.
   • Tip: Use phone verification or a previously established email thread (not by replying to the suspicious email).
2. Exercise Caution
   • Action: Be skeptical of unsolicited requests or any communications pressuring immediate action.
   • Tip: Look for generic language, spelling errors, and unfamiliar sender addresses, which often signal phishing attempts.
3. Strengthen Password Practices
   • Action: Avoid using the same password for multiple sites. Implement the use of a reputable password manager.
   • Tip: Enable multi-factor authentication on all accounts that offer it, providing an additional layer of security.

Immediate Steps If Targeted

If you suspect you have been targeted by a social engineering attack or notice any unusual activity, please contact OIRT immediately. Quick reporting can significantly mitigate potential damage and help in taking swift corrective actions.

Conclusion

Awareness and vigilance are our best defenses against these sophisticated attacks. By understanding the tactics used by attackers and consistently applying best security practices, we can protect not only our personal information but also the integrity of our entire university community.

Thank you for taking action to keep our community safe.

See also