Cyber risks and social engineering

October is National Cybersecurity Awareness month and is a good opportunity to talk a little about the current state of social engineering attacks and the University. The term social engineering, as it relates to cyber security, can trace its roots back to at least the days of Kevin Mitnick using psychological techniques to gain access to the nation's telephone systems in the 1970s and '80s. Since then technology has not only given the world the ability to quickly and effectively communicate to almost anyone at any time--it has also provided bad actors an amazing platform to develop and improve their criminal operations.

Social engineering attacks generally use three mediums: the traditional voice call (vishing), an email or text message (phishing), or an in-person interaction (impersonation). While impersonation is always a risk, it is vishing and phishing that make up most known attacks and are varied and all-inclusive. Earlier this year the Justice Department broke up a vast IRS scam that ran four years and had over 15,000 victims. Microsoft states 11,000 complaints per month are reported to it regarding fraudulent scams. Even the FCC is finally starting to take notice and began issuing fines for companies falsifying caller ID numbers this year. And even though people are getting more skeptical these attacks are still a major threat.

While we have had members of the community fall victim to the IRS scam, the attack we most see on campus is generally referred to as a "tech support scam." These scams attempt to convince you that Microsoft, or another technology company, has identified a problem with your computer or device and would like you to visit a website to enter a credit card for support or simply turn over control of your computer so they can ‘help' you. Needless to say, no one should ever take any action based on unsolicited phone calls. Unfortunately, there are few effective measures to combat vishing scams. The bad actors can falsify their caller ID, use local phone numbers, and sound convincingly like someone who wants to help you. If in doubt, hang up and use a legitimate phone number from an invoice, web site, or directory to reach out to the organization.

Of course, it is phishing that is really causing the most disruption to how we communicate. It is doubly pernicious in that it not only exposes people to the risk of falling victim to a scam, it reduces the effectiveness of people and organizations to communicate since it is now difficult to trust email.

As an example, we'll delve a little more deeply into two recent types of phishing attacks that demonstrate different psychological techniques and the evolving criminal methods in use. The first is deceptively simple yet uses the principle of authority, where people will tend to obey authority figures even if what they are being asked to do does not seem appropriate. It uses the identity of someone in authority at the University, likely gained from our public organizational charts, then creates a fake Gmail account with that name. Simply looking at the email address, and not the name, will tell you something is amiss.

The second attack is a little more sophisticated. It demonstrates the ability of the criminal organizations to combine multiple sets of data and use them in a targeted attack. In this case it is an old password that was compromised from some third-party site, then is combined with a current University email address, and then both are used to convince the person that embarrassing or incriminating evidence is in the possession of the criminal and will be released if a Bitcoin payment is not made.

While these are the activities we are seeing bad actors do today, you can be sure that tomorrow their methods will improve and change. So where does that leave us when trusted and easy to use communication channels seem difficult to find? There is no easy answer. Technology has exacerbated this social engineering problem and does not seem able to help fix it. Nor should we expect it to in the near future. What does seem to help is to simply slow down, take a breath, and try to pay attention to email messages, or other communication, in a more comprehensive manner. Try to look at the writing style, the intent of the message, what it is asking you to do, and whether the message was expected based on previous communications or if it is "out of the blue." Many of us tend to treat our email as a simple queue of work to be done as soon as possible. This is what the criminals count on. You can thwart them by being a little more critical and avoid the pitfalls of becoming a victim on the one extreme and becoming distrustful of all email on the other.

UNR Information Security is here to help. We have educational material available for all members of our community at the IT Compliance Sharepoint site. We encourage reporting of incidents to abuse@unr.edu. However, keep in mind this is a reporting only address and may not be monitored for questions. If you'd like to ask a security question or have a suggestion, please email soc@unr.edu or individual team members. We are also looking at providing more tailored security support to departments that may be at high risk due to the type of data they manage. If your department would like to participate, please email itcompliance@unr.edu