Hacking the Human | Information Technology | University of Pittsburgh
!

You are here

Hacking the Human

Social Engineering

It’s Cybersecurity Awareness Month—Pitt IT’s favorite time of year. Techies often focus on the high-tech methods hackers use to crack passwords, bypass firewalls, infect a device, and steal people’s data or money. But the truth is that most cybercriminals don’t hack your system. Instead, they hack you. In other words, they trick you into giving them the keys to the castle using social engineering.

What is Social Engineering?

Social engineering is when a hacker manipulates you into divulging confidential information through real-time, personal interactions, such as a phone call, by chat or DM, or via email. The bad guys can be good actors, posing as a trustworthy individual or even pretending to be someone you actually know.

They don’t need to be expert hackers in order to snatch sensitive info, like passwords or bank account details. Instead, they exploit human psychology and social norms to get you to “willingly” share what they need to gain access to your accounts or system.

What Socially Engineered Attacks Look Like

Social engineering comprises many different kinds of attacks, the most common of which is some form of phishing. Phishing is an email disguised as legitimate communication and designed to trick you into sharing sensitive information or compromising your system, often through links to a fake website that collects your information or an infected attachment that downloads malware onto your system when you open it. Phishing has some evil siblings you should beware of:

  • Spear Phishing: This is a personalized attack, rather than a generic mass email. The philosophy is that quality is better than quantity. Criminals use personal information to gain your trust and dupe you. They may find your information from a website listing staff in the department, your LinkedIn profile, your social media posts, or even your physical trash. Then, they can target a message just for you. When a con artist knows things about you, the companies you do business with, or the names of your friends, family, and coworkers, they hope it will lower your guard.
  • Vishing: Voice Phishing is the phone call version of phishing. The attacker pretends to be a person of authority (such as an IRS agent, police officer, or the IT or HR department) or from a company or financial institution you do business with. They may even pretend to be someone you know, but have never actually talked to. Vishing usually exploits fear and urgency by saying things like, “Your account has been compromised” or “Your policy is about to expire.” They generally talk quickly and insist that they need to resolve the issue now.
  • Smishing: Short for SMS phishing, these scams are done via text or DM. In smishing, hackers typically use spoofed numbers and pretend to be a service like AT&T or Google – basically any company where you could have opted into text notifications. These messages will ask you to follow a link to verify a device, view/pay your bill, or check out the latest event or sale. Smishing attacks can also pose as a friend contacting you for help or sharing content they think you’ll like.
  • Baiting: Baiting is luring a victim with a reward or attractive offer, such as a free gift card. This is often done via an email or text message announcing their win. It may also pose as a job or internship offer or a huge sale. These types of offers fall squarely into the “if it seems too good to be true, it probably is” camp.
  • Pretexting: Pretexting is when attackers create sophisticated and detailed scenarios that make a victim feel compelled to cooperate, either through fear or a false sense of security. These scenarios often have factual elements to them, which makes them easy to fall prey to. For example, a person may call you under the pretext that your account has been compromised and they can guide you through changing your password and security questions.

Getting to Know You

Social engineering is more sophisticated that a generic phishing email, because it’s personal—often relying on details specific to you. It doesn’t take Mission: Impossible-level sleuthing to learn these details. Hackers often do a quick social media search to craft the perfect scam for you. Once they follow you, they can see anything you’ve shared and easily slide into your DMs.

An Instagram picture of your college reunion or just-received vaccine card, or a Twitter post sharing a new job seems innocent enough, but the bad guys eat up this information. LinkedIn can be a particular goldmine, since your profile has your current and previous workplaces, where you went to school, your field of expertise, your current career level, and your professional connections.

How to Protect Yourself

Social engineering attacks are frightening to think about, but don’t fret! When you’re the tool, you’re also the solution.

  • Be suspicious of out-of-the-blue offers or emergency notifications. Don’t be afraid to question any email, text, phone call, or direct message you receive. Don’t let being polite interfere with protecting your system and information.
  • Preview links before clicking on them to ensure they go to an official website, and not one housing malware or other viruses. Make sure these URLs are spelled correctly and use the proper domain (.com vs. .net).
  • Independently verify claims made by an unsolicited communication. If you get a text saying your bill is overdue, do not click the link in the message—log into your account or call the company to verify.
  • Be cautious on social media. Think before you post. Remember that you may be oversharing about others when you tag them or reveal shared experiences. Keep your settings as private as possible, or consider a separate profile to share with a small circle of people you trust, while having a public account that avoids revealing identifiable info. Be cautious who you connect with—remember, if you haven’t met in real life, you haven’t actually met at all.

Stay Calm and Don’t Click

If you think you’ve fallen for a social engineering scam, don’t beat yourself up! Social engineering attacks are meant to be convincing. If you get taken, immediately change compromised passwords, contact the companies whose account are impacted, and then contact the 24/7 IT Help Desk to help you get everything sorted.

Stay safe and cybersecure, Panthers!