Campus privacy and security professionals can adapt these materials to promote a better understanding of the most common social engineering attack vectors that are affecting higher education.
Campus Security Awareness Campaign 2020
This post is part of a larger campaign designed to support privacy, security, and IT professionals as they develop or enhance their security awareness plans. The campaign is brought to you by the Awareness and Training Community Group sponsored by the EDUCAUSE Higher Education Information Security Council (HEISC). View the other monthly blog posts with ready-made content on the awareness campaigns resource page.
"More than half of US organizations faced a successful phishing and or ransomware attack in 2019,"1 and many of those attacks began with social engineering—ranging from simple to sophisticated. Social engineering involves the use of deceptive communication aimed at convincing the victim to do something the attacker wants them to do. Social engineering attacks commonly focus on generating a sense of urgency in a message that appears to come from a trusted contact. Ransomware has become a standard payload for attackers in the United States. According to Gin Consulting, 9.5 million ransomware attacks were detected in 2019.2 Customize the content below to help raise awareness about avoiding these frequent social-engineering attacks, to promote common-sense information security protections and data-protection best practices, or to encourage more in-depth security discussions at your institution.
Get the Word Out
Newsletter or Website Content
- Social engineering begins with research, whereby an attacker reaches out to a target to gain information and resources. When someone you don't know contacts you and asks you open-ended questions, this may be the first step of a social-engineering attack. After the attacker reaches out to you, they will then attempt to establish trust with you and get you to provide them with the information or access that they need. Often, the attacker does this by creating a sense of urgency. One common social-engineering scam is the gift-card scam. The attacker poses as an executive. The "executive" will email the victim, ask if the victim is in the office, and begin a brief email exchange with the victim. The executive will tell the victim that they need to purchase one or more gift cards for other employees but that they are unavailable to do so. The executive will ask the victim to buy several gift cards and keep one for themselves. As the victim is worried about pleasing the executive, the victim goes through with the purchase, spending hundreds or thousands of dollars. How do you avoid becoming a victim of these types of attacks? Ask yourself if the request makes sense. Check the email address of the sender. Does the sender's email address include an extension that you would expect (.edu, for example)? Whenever you receive an "urgent" email communication, the first thing you should do is contact the sender using another mode, such as phone or text message, and confirm that the email is legitimate. If something seems off to you, it probably is.
- Ransomware is scary. Such an attack could make it impossible for you to retrieve documents on your computer. So, how do you protect yourself from ransomware? One of the best ways to protect yourself is to create a good backup of your critical data. These backups should be available offline, for example, on a removable hard drive or tape. Having multiple backups that are stored in more than one location is best! For your work files, be sure to follow guidelines from your IT department. Ransomware is often delivered via a fraudulent email with an attachment or link that, when clicked, installs a program that locks your files. Never open an attachment that you are not expecting without verifying with the source in another way (for example, via phone or text message) that the attachment is valid. When you are unsure, follow guidance from your IT department regarding how to handle questionable emails. Using these common-sense practices can help you avoid the pain of a successful ransomware attack.
- Phishing attacks are delivered via email. Most commonly, a phishing email uses a sense of urgency to direct the victim to visit a website designed to steal the victim's account credentials. Some phishing attacks are straightforward, for example, "Update your password now!!!!" and can easily be detected because they typically are not written well (poor grammar and word choice). However, some attacks are sophisticated, look like they come from a trusted contact, are well written, and lead to a site that closely resembles the spoofed website. If you receive a communication that asks you to give your account credentials or personal information (for example, your social security number, birth date, or credit card number), DO NOT click the email link. Instead, go directly to the expected website and verify that the communication came from that organization. Always check with your IT department before following links that require you to enter your username and password. By following these simple precautions and working with your IT department, we can make phishing attacks a thing of the past.
Social Posts
- Don't be a victim. Call the sender before opening that attachment! #Ransomware #BeCyberSmart
- Is that email really from you, boss? Check the email address before responding! #SocialEngineering #YourBossDoesNotNeedGiftCards #BeCyberSmart
- Does your bank really need you to change your password? Go directly to yourbank.com to check. #DontTakeTheBait #Phishing #BeCyberSmart
- Why do you need my password? You should have your own! Think before you click. #SocialEngineering #BeCyberSmart
Email Signature
Ask staff to add a tip to their email signature block and link to your institution's privacy page.
Example:
Jane or John Doe
Chief Privacy Officer
XYZ College or UniversityDisappoint an attacker. Leave that urgent email alone. Learn more. [Link "Learn more" to your institution's information security page or link to the Cybersecurity and Infrastructure Security Agency (CISA) Security Tip (ST04-014) Avoiding Social Engineering and Phishing Attacks.]
Embed or Share Videos
Resources
- Federal Trade Commission (FTC): Paying Scammers with Gift Cards
- Tripwire: 5 Social Engineering Attacks to Watch Out For
- KnowBe4: What Is Social Engineering?
- Straight Edge Technology infographic: 5 Top Cybersecurity Threats [https://www.straightedgetech.com/wp-content/uploads/2019/11/Straight_Edge_Tech-_infographic_cybersecurity-page-001-2.jpg]
- Digital Guardian: Common Social Engineering Techniques and Prevention
- Stay Safe Online tip sheet: Ransomware Facts and Tips
For more information and resources, you can also reference previous EDUCAUSE Review Security Matters Campus Security Awareness Campaign blog posts about social engineering, phishing, and ransomware.
- April 2019: Whaling, SMiShing, and Vishing…Oh My!
- October 2018: Don't Let a Phishing Scam Reel You In
- February 2017: Learn What It Takes to Refuse the Phishing Bait!
For more information about information security governance, compliance, data protection, and privacy programs, please visit the EDUCAUSE Review Security Matters blog as well as the Cybersecurity Program page. Access additional security and privacy awareness resources through the Awareness Campaigns page.
Notes
- Jessica Davis, "Ransomware, Phishing Attacks Compromised Half US Orgs in 2019," HealthITSecurity, January 28, 2020. ↩
- Gin Consulting, "Social Engineering Attacks: A Path to Ransomware," NetStandard (website), January 27, 2020. ↩
Patricia M. Clay is the Chief Information Officer at Hudson County Community College in New Jersey.
© 2020 Patricia M. Clay. The text of this work is licensed under a Creative Commons BY 4.0 International License.