What are the Dangers of Social Engineering Scams?

Posted on 23 May 2017 |

dangers social engineering scamsAccording to the 2017 Verizon Data Breach Investigations Report, financial businesses are still the prime target for cybercriminals. But colleges and universities shouldn't breathe a sigh of relief because they still offer a valuable target.

Last year at Tidewater Community College (TCC), the personal information -- including names, social security numbers, and wage data -- of more than 3,000 employees was sent to criminals when an employee in the school's finance department fulfilled a request for the information that appeared to come from a supervisor's official campus account.

Rather than responding to a legitimate request, the TCC employee fell victim to a social engineering scam, a cyberattack that uses deception and human gullibility to gain access to restricted information or penetrate otherwise secure networks.

Common social engineering scams include:

  • Phishing - fraudulent emails or social media posts intended to elicit confidential information from the recipient
  • Baiting - leaving in a public place a USB drive or other storage with malicious code embedded on it, just waiting for someone to find it and plug it in
  • Quid pro quo - offering a service that is "too good to be true" (like an attractive job listing) in exchange for personal details or login information
  • Typosquatting - creating a fake login page that looks near identical to one of a legitimate business, while using a domain name that is one letter off from the actual site

And these techniques are effective.

In its most recent report, Verizon found that 7.3 percent of evaluated users fell for phishing schemes at least once, and 15 percent of that group "took the bait a second time." Altogether, 1 percent of users were recorded clicking on suspicious links or attachments contained in emails more than three times.

Of course, email isn't the only avenue for attack. A 2016 report from Proofpoint found that 40 percent of Facebook accounts and 20 percent of Twitter accounts purporting to represent a global 100 brand were, in fact, fraudulent.

Given the heavy use of social media on today's campus, these platforms pose a number of new vulnerabilities that scammers are more than willing to manipulate. And by sending their phishing message directly through social media, criminals can now bypass most of the security measures and email filtering tools that your school has set up to protect your campus.

What Can Your School Do?

Update cybersecurity

Regularly review your internal systems for potential vulnerabilities, and update email filtering technology to aggressively search for phishing attempts or malicious files. Employ monitoring tools that can identify suspicious behavior and help your cybersecurity team respond more quickly to a data breach.

Consider implementing a multi-factor authentication -- requiring a password plus additional verification from a separate device -- for critical systems or high-risk files.

Educate

Cyberscammers, much like traditional con artists, mainly rely on the naiveté and gullibility of their targets. But by properly training your students and faculty on how to spot and respond to these schemes, their likelihood of success is greatly reduced.

Consider establishing a cybersecurity awareness week on your campus, or if your more ambitious, participate in National Cyber Security Awareness Month. Offer training sessions and seminars designed to help those on your campus develop healthy online security habits that will protect not only your school but their personal information as well.

Go fake phishing

To identify security gaps or just further educate general users, several schools have begun to test students and faculty with fake phishing emails.

After more than 290 students, faculty, and staff had fallen prey to phishing scams in a single semester, North Dakota State University began sending phishing emails of its own. These messages were designed "to look like real phishing messages, but they w[ould] not cause harm, collect personal information or result in any penalty or punitive action." Instead the contained links redirected students and faculty to a resource page that educated users about phishing schemes.

Conclusion

No matter how much your school may invest in technology, your campus cybersecurity is only as strong as its weakest link. And that weakest link is routinely the ignorance of the staff, faculty, and employees that access school systems every day.

If you would like to learn more about how Campus Answers can help your school promote data security awareness, request a demo of our services today.

comments powered by Disqus

Request a Demo