Oct 17, 2022 | Jeremy Shelley, CISO While social engineering via phishing is a major security concern here at UAH, there are other types of social engineering attacks of which you should be aware. Attackers are persistent and creative in their attempts to gain access to UAH systems and will sometimes use in-person attacks or attacks via our mobile devices like smishing and vishing. Examples of in-person attacks? One of the more common in-person attacks is tailgating, where someone who is not authorized to enter a secured area attempts to follow authorized users into the area. These attacks take advantage of two aspects of human nature: most people want to be helpful and most people do not enjoy confrontation. If you have access to a secure area such as a computer lab, server room, wiring closet, or other location with restricted access, you have the responsibility to ensure no one gains unauthorized access to this area. This means you should: Never hold the door for anyone. Stop people from following you into restricted areas. Report suspicious activity to UAH PD. Inform facilities if an electronic door or lock is not functioning properly. Always close doors, especially to secure or restricted areas like server rooms. Another common attack is to drop USB drives in the parking lot or other common areas in the hopes that someone will pick it up and stick it into a university computer. If you find a USB drive or disk in a public area, please do not insert it into a computer. Return it to lost and found if your department or building has one or notify your IT support for further guidance. Examples of Mobile Device attacks Finally, I want to alert you to two types of attacks that use your mobile device: smishing and vishing. Smishing—or “SMS phishing”—is phishing via SMS (text messages). The victim of a smishing attack receives a text message, supposedly from a trusted source, that aims to solicit their personal information. These messages often contain a link (generally a shortened URL) and, like other phishing attacks, they’ll encourage the recipient to take some “urgent” action, for example: Claiming a prize Claiming a refund or grant Confirming and rescheduling a delivery Locking their online banking account To avoid becoming a victim, follow the guidelines below: If the message offers quick money either from winning prizes, collecting cash, or offering a coupon after entering personal information, do not respond. UAH and financial institutions will never send a text asking for credentials or transfer of money. Do not send credit card numbers, ATM PINs, or banking information to someone in text messages. Avoid responding to a phone number that you don’t recognize. Vishing is voice phishing, when attackers will use fraudulent phone numbers, voice-altering software, and social engineering to trick users into divulging sensitive information. Some of these attackers will use some of the same techniques that phishers and smishers do: impersonating someone else, attempting to get you to respond quickly, and warning you of penalties if you don’t respond or rewards if you do. One way attackers use impersonation to trick us into divulging information is that they will pose as, for example, IT support staff to collect information. Watch the video below for an example of pretexting in action as an attacker gets an employee to divulge critical information. The most important ways to combat vishing attempts are: If you don’t recognize the number, don’t answer the call. Instead, let go to voicemail and listen to the message later to decide whether to call back. If you suspect that the call is a vishing scam at any point, hang up immediately. Don’t try to carry on a conversation to be polite. Don’t press any buttons or speak any responses to any prompts from an automated message. Scammers could potentially record your voice to navigate voice-automated phone menus tied to any of your accounts, or they might use a “press X” option to identify targets for future calls. Verify the caller’s identity before returning a call to an unidentified number. If the scammer claims to be from a certain company, attempt to independently verify that information before returning the call. Carefully listen to the caller and mentally flag if they’re using social engineering language that leverages fear or urgency, or “once-in-a-lifetime opportunity” language. UAH is constantly under attack by individuals and groups who want to collect inside information, get access to restricted areas and data, and exploit our faculty, staff, and students for financial gain. We must all be diligent and stop, look, listen, and think before providing information. Do your part. #BeCyberSmart.