Cyber Security matters – #2 Email and social engineering
Posted on behalf of: The Better Sussex Team
Last updated: Friday, 15 March 2024
As part of our Cyber Security awareness campaign, we’ll be covering a new and important topic each month to help boost your knowledge and keep you and the University safe and secure.
This month, we talk email and social engineering - recognising what is fraudulent and keeping information and data safe.
At some point, we’ve probably all received a suspicious email, text message or social media request asking for personal information or encouraging us to click on a link when we’re not sure where it’s come from. Sound familiar? Read on to find out what to do.
What is social engineering?
Social engineering is a manipulation technique that exploits human error to gain private information, access, or valuables. Social engineering via email is one of the most common ways that cyber attackers do this.This can be through:
- Phishing - one of the most common types of social engineering where an email is designed to look like it’s come from a legitimate company or organisation. The aim is often to make you visit a website, which may download a virus onto your computer, or facilitate the stealing of bank details or other personal information.
- Pretexting - involves a cybercriminal creating a scenario or ‘pretext’ to target the user using a false identity and a request for personal information.
- Baiting - a commonly used method on social media and email which provides an attractive or intriguing proposition (the bait) to tempt the recipient into downloading a video or image infected with malware.
-
Scareware - scares the user into acting quickly and clicking on an unsafe link using pop-ups or emails which tell the user to act immediately to get rid of supposed viruses or malware.
Tip – social engineering can happen anywhere, both at work and in your personal life!
Case files - a real world example
Even cyber security experts can fall victim to social engineering.
In a 2017 blog, Ian Levy, Technical Director for the National Cyber Security Centre (NCSC), set out how he was targeted for a prank via email.To make his blog as helpful as possible, he took the unusual step of asking the prankster to co-write it with him, showing step by step how an attack unfolds from both perspectives.
The hacker’s view
James (the prankster / hacker) outlines the simple techniques he uses to bypass Ian’s expertise and natural suspicions and get him to click on his unsafe link, showing just how quickly and easily a cybercriminal can set up and put into practice a social engineering email scam.
“I did some initial web searches to establish who I would try and hoodwink. It really didn’t take long to establish that Ian could be an intriguing target..”
“Now I just needed my ‘character’ - which I quickly established in my usual way, by looking at the ‘about us’ or ‘directors’ page of the NCSC website.”
“Next step was to create my new email address. I just opened my browser and went to mail.com to create my fake account.”
Using the ‘baiting’ technique, James then emailed a link to Ian (supposedly from the NCSC’s Operations Director) before sending another email telling him he’d been sent the link accidentally – enough to get anyone interested!
The victim’s view
Ian describes receiving a series of plausible sounding emails, seemingly from a senior colleague well known to him and including an innocuous looking link.
“I got two emails apparently from Paul Chichester, the NCSC Director of Operations...”
The first email included a link and the second was a ‘sorry, sent to you by mistake’ message. Paul describes how this approach piqued his interest.
“You feel a little bit naughty peeking into a conversation that wasn’t intended for you and I think that’s part of why this sort of thing disarms people”.
Whilst sorely tempted to click on the link James had sent him, Ian’s Cyber Security knowledge did lead him to check the link and uncover the scam, but he has a warning for others about how easily a real cyber attacker could fool you using social engineering.
“The point of telling this story is to get away from the abstract and show people what attacks really look like. I also want to be really clear: I was lucky. My ‘cyber skillz’ helped, but I could have just as easily fallen for this..”
Source National Cyber Security centre, 2017.
How can I minimise these risks?
All of this can sound a bit scary, but don’t worry, there are some simple steps we can all take to help keep ourselves safe:
- If an email or text message seems too good to be true, it probably is. If it looks suspicious, report it via the Servicedesk and delete the email straight away.
- Avoid suspicious links and attachments, don’t click on any that you are not expecting. These could be infected with malware or lead to malware infected websites.
- Where available, sign up for and use Multi Factor Authentication (MFA) for access to work programs. Use strong passwords for personal devices.
- Don’t leave devices unattended, not only to avoid theft of the device itself, but to protect private and personal data stored on your devices, such as account logins.
How to learn more
Each month, to support these articles, we’ll be releasing a matching bitesize training via Proofpoint, our online learning platform.
This month’s training will arrive in your inbox on Tuesday 19 March.