A monthly Information Security publication for the WPI community.

This month focuses on SOCIAL ENGINEERING, which is the use of customized deception methods to obtain personal or confidential information for illicit purposes.

Put simply, hackers recognize that it is easier to hack a human than it is to hack a machine.

In this issue: 

  • Psychology of Social Engineering
  • Attack Strategies, including AI
  • Prevention
  • Learning with Laughter
  • From WPI's CISTO
  • Secrets of Social Engineering Webinar
  • Meet Jeff!
  • Featured Videos
  • Statistics and In the News
  • Diversity in Cybersecurity
  • WPI Resources

Psychology of Social Engineering 

Cartoon of 2 people shaking hands while the shadow of one is holding a knife in a stabbing position.

Social Engineering is a type of psychological manipulation that aims to trick people into sharing sensitive information or performing actions that may not be in their best interest.

Psychological tactics may include:

  • Using emotions: Attackers use emotions to persuade victims into taking action they normally wouldn't. The attackers' aim is to put the user in a situation where emotions override human intellect.
  • Preying on trust: Attackers will try to establish trust with their victims. They will attempt to take advantage of people's tendency to trust others they perceive as likeable or authority figures.
  • Exploiting smartphones: Attackers will attempt to trick people into reacting quickly to notifications.

More detailed explanations of social engineering are in the links below:

10 Cybercrimes Against Colleges and K-12 Schools, and How To Prevent Them (ArcticWolf.com)Hackers Calling Employees to Steal VPN Credentials (hackread.com)U.S. Warns of Social Engineering from Overseas (gbhackers.com)Social Engineering Principles in Better Call Saul (help.wpi.edu)

Social Engineering Strategies

Artificial Intelligence (AI)

Image of a robotic man in a suit thinking about multiple colorful icons. (Generated with Copilot AI)

According to SecureWorld, "The innovative and fast nature of AI enables attackers to automate, scale up, and fine tune social engineering attack methods and unknowingly expand the attack surface of organizations." 

AI hones in on details to customize phishing to the target by:

  • Hyper-personalized phishing: Mine social media to create emails customized with familiar content.
  • Natural language generation: Generate coherent, human-like writing and dialogue.
  • Emotional manipulation: Analyze the target's digital footprint to identify communication styles, emotional triggers, and vulnerabilities. 
  • Detection evasion: Refine social engineering techniques to avoid raising red flags in security tools.
  • Automated reconnaissance: Quickly gather intelligence by scraping data sources like social media, marketing sites, and public records. 
The Impact of AI on Social Engineering Cyber Attacks (SecureWorld.com)

How Do They Attack?

Social engineering attacks may involve any of the following strategies:

  • Pretexting: pretending to be someone else
  • Baiting & Quid Pro Quo: promising to give something valuable, often in exchange for requested info or action from the target
  • Blackmail: threatening to reveal something if the demands are not met
2 people talking to each other to illustrate pretexting.  The person on the right is wearing an elaborate goat mask while the other has a question mark over his head. (Generated with Copilot AI.)
Social Engineering Education (Colorado Dept of Education)

False Assumptions About Cyber Criminals

The attackers rely on these common misbeliefs:

  • Criminals won’t hold conversations with you.
  • Major platforms, such as Microsoft and Google, are always secure.
  • Replying to existing emails is safe.
Read more about The Future of Social Engineering: Emerging Trends and Threats (Sennovate)

Examples of Social Engineering  

PHISHING email tries to trick someone into revealing sensitive information or making a payment. Smishing uses similar tactics in short message service (SMS) texting.  Vishing is a vocal attempt to extract information via the phone.  Spear phishing targets specific individuals using any of these methods.

PHYSICAL TACTICS may be employed, such as Credential Harvesting which gathers valid credentials to gain unauthorized access. Hoaxes trick the user into performing undesired actions, such as deleting important files to remove a virus. Invoice Scams spoof the invoice details of a genuine supplier, but change the bank account number. Tailgating attackers follow someone, who is unaware of their presence, into a restricted area.

WEBSITES lure victims through pharming, which redirects a familiar website link to a similar, but fake, website to obtain sensitive information such as login credentials. Watering Hole Attacks use malware installed on website(s) regularly visited by an organization's members to infect their computers.

Can you spot the spoofed website in this article? Remember to log in to view it.

Protect Yourself From Spoofed Websites (help.wpi.edu)

Prevention Strategies

Below are a few prevention strategies from the federal Cybersecurity Infrastructure & Security Agency (CISA).

  • Be suspicious of unsolicited communications from individuals asking about employees or internal information.
  • Keep internal information about your organization private unless you are certain the person is authorized to have that knowledge.
  • Do not reveal personal or financial information in email.
  • Check the website's security before sending sensitive information. The URL should start with https and there should be a closed padlock icon. You may need to click the URL line to see these.

The article below provides additional information about social engineering prevention.

Avoiding Social Engineering and Phishing Attacks (CISA.gov)

How to Combat Social Engineering: Take 5 & MFA

An excellent way to combat social engineering whether it's done by a person or AI is to ensure you use best practices for good cyber hygiene to make it harder for either to send you tailored messages.

Take 5 Minutes

Modern scammers prey upon your anxiety and depend upon your instant reaction. You can outsmart them by taking five minutes to diffuse your reaction, take yourself out of “fight or flight” mode, and look at the message logically.

Does this method and individual match the usual way you would receive this type of request, perhaps job duties, course assignments, schedule changes, account updates?

Have you asked anyone else about this? Contact a co-worker or the supposed sender via a different channel - so if you received email, try chat, phone, or speaking in person.

Does an email appear to be from WPI, but [EXT] starts the Subject line? That indicates it originated outside of WPI.

Have you checked with WPI ITS? If you are not sure whether a communication is legitimate, please contact the IT Service Desk or report phishing.

Report Phishing (help.wpi.edu)

Multi-Factor Authentication (MFA)

Are you using MFA?  It is used for WPI resources, but consider enabling it for personal resources, too. MFA helps prevent an attack because just one piece of information is not enough for the attacker to take over your account. The CISA link below includes a video with directions to enable MFA on a personal account.

More than a Password (CISA.gov)

Learning with Laughter 

Meme of adorable cartoon cat with big eyes and text says Could I have the root password? 
A dog is laying down with a curtain covering half of it. The curtain is labeled "Spoofed Website" and the dog is labeled, "Attacker waiting for your login credentials."  

From WPI's CISTO:

Windows 11

You may have heard that ITS-managed WPI computers are being upgraded to the Windows 11 Operating System (OS). It's already in labs and classrooms! A key factor in WPI security is ensuring that computers have the most up-to-date OS so they can receive patches for vulnerabilities that cyberattacks can exploit. 

Malicious software can take advantage of loopholes in outdated apps; an updated OS can support the latest, and safest apps.

Install Windows 11 on WPI computers

Book Recommendation

Cover of The Phoenix Project.

LeeAnn LeClerc, WPI CISTO, recommends The Phoenix Project: A Novel about IT, DevOps, and Helping Your Business Win by Gene Kim. WPI account holders can access the book via the Gordon Library. 

George C. Gordon Library

Secrets of Social Engineering Webinar

Join us on Friday, September 20 from 10am - 11am for a webinar presented by WPI's Information Security experts. Learn the tactics used by cybercriminals and discover practical tips to protect yourself and WPI. The registration link is below.

Register for Social Engineering Webinar

Meet Jeff! 

Jeff is wearing a black shirt and glasses, and  smiling.

I'm Jeffrey Eaton, but you can call me jeaton. I joined WPI in March 2023 as the Identity Access Management Security Engineer within the Information Security department. I work remotely from Pittsburgh, PA so you won't get to see me in person much, but I'm available via Teams or Zoom to answer any account and identity related questions you may have.

Prior to WPI, I worked at Carnegie Mellon University for 25 years in a variety of roles in systems administration, software engineering, management, and then falling into the Identity and Access Management space 11 years ago. I also earned my BS in Computer Science from Carnegie Mellon. Outside of work, I'm happily married with two kids and an adorable miniature whoodle (wheaten terrier/poodle mix).

Featured Videos 

These brief videos explain social engineering.

What is Social Engineering? (4 min)2-Factor Fake Out (<1 min)

The Statistics Show Social Engineering Works  

In the past just a few dozen responses from WPI account holders to a socially engineered phishing email resulted in disruption of access to numerous accounts and many hours of IT labor to rectify. Implementing improved email security tools and more community education, has decreased these responses since last year! 

Social Engineering Stats:

The Forbes article, "What is Social Engineering?" provides key statistics.

The average cost of a social engineering attack is $4.76 million. Background: large pile of money.
A line graph increasing sharply with text: "Phishing attacks rose by 173% during the third quarter of 2023."
Background of gold coins that have cryptocurrency logos with text: "Phishing scams have been used to steal $1 billion worth of cryptocurrencies since May 2021."
What Is Social Engineering? (Forbes.com)

In the News

On September 5, 2024 a London, UK high school sent students home due to a ransomware cyberattack and was closed for multiple days. Social engineering tactics are often used in ransomware attacks.

Ransomware attack forces high school in London to close and send students home

In June 2024 school officials in Ohio revealed that a social engineering attack resulted in the theft of $1.7 million. 

West Clermont Schools victim of sophisticated cyberattack (NBC Cincinnati)

Diversity in Cybersecurity 

Dr. Kellep Charles

Dr. Kellep Charles has closely cropped hair. He is wearing a black suit, white shirt, and black tie.
Dr. Kellep Charles

WPI Resources:

Thwarting Technical And Social Engineering AttacksEmail Fraud: VIP Impersonation WarningExternal Email Subject Marker And Security FeaturesPhishing ExplainedSmishing And Vishing Explained

Coming Next Month...

Artificial Intelligence...

   

Is there a cybersecurity topic that you would like to know more about? Please contact WPI Information Security using Get Support below.

Title

Content