A Guide to Social Engineering and Phishing at OHIO
Cybercriminals are constantly evolving their tactics, and social engineering remains one of the most effective ways to exploit human behavior. At 黑料视频, protecting personal and institutional data is a shared responsibility. This guide will help you recognize common social engineering attacks, especially those delivered via email, and show you how to report them effectively.
What is social engineering?
Social engineering is a manipulation technique used by cyber threat actors to trick victims into providing sensitive information or performing actions that compromise security. These attacks can occur through the following ways:
- Email & text messages
- Phone calls
- Websites or ads
- In-person interactions
The objectives of social engineering include stealing credentials, installing malware, gaining unauthorized access to systems, and receiving money or other resources for fraudulent purposes.
Common social engineering attacks at 黑料视频
Phishing is the top social engineering attack on businesses, responsible for more than 90% of security breaches. Phishing occurs when a bad actor sends fraudulent emails, text messages, or Teams messages to convince you to disclose sensitive information through your replies or by clicking on links.
Vishing, or voice phishing, involves social engineering over the phone. A bad actor may pretend to be a trusted source to seek sensitive information, such as:
- Your username and password
- Multi-factor authentication code
- Banking or personal information
If you are unsure about a caller鈥檚 identity, hang up and call back using verified contact information.
Baiting is a social engineering attack in which a bad actor 鈥渂aits鈥 an individual to perform an action, such as installing malware on a device or sharing personal information, through malicious web advertisements. This will launch a fake pop-up message that may include the following:
- Loud noises
- Flashing phone number
- Urgent message claiming the device is infected
Calling the phone number often leads to financial fraud or data theft. The bad actor will ask for money for performing their 鈥渟ervice鈥 or they will attempt to access the device by having the victim install screen sharing software, which leads to accessing personal information or installing actual malware.
Identifying malicious messages
Here are some characteristics of a phishing message that will help you identify malicious emails:
- Unsolicited.鈥疊e cautious of emails that you were not expecting to receive.鈥
- Often, unsolicited emails are from senders outside of the university. At OHIO, emails originating from external senders will have an 鈥淓xternal鈥 tag in the subject line and contain a light-yellow band at the top of the message that reads: use caution with links and attachments.
- Too good to be true.鈥疘f it sounds鈥痶oo good to be true, it probably is. Part-time job scams often offer to pay鈥痑n exorbitant amount of money for a simple task.
- Asking for personal or financial information.鈥疪eport emails asking for personal information. For example: the IT department would never email you with a link requesting you provide your university credentials to keep your account active.
- Deceptive web links.鈥疕over your mouse on the hyperlink to view its true destination. If you don't recognize it, don't click it.
- Variations of legitimate addresses.鈥疐or example, an email address ending鈥痠n @ohio-edu.org instead of @ohio.edu.
- Fake senders address.鈥疌lick the sender's name to view the email address, if the email address is not something you recognize from the alleged sender, proceed with caution.
- Requesting urgency.鈥疶he intention of urgency is to influence users to act quickly to prevent them from noticing suspicious elements.
- Fraudulent sites often don't start with HTTPS.鈥疶he "s" stands for secure. Never sign into websites that are not using HTTPS.
- Misspelled words and bad grammar.鈥疕istorically phishing emails often contained misspellings and grammar issues, however with the development of artificial intelligence phishing messages are much harder to spot using this indicator.
Reporting phishing at OHIO
The Phish Bowl鈥痠s a tool designed to promote phishing awareness by documenting campus-wide phishing messages that are reported to the Information Security Office. As widely impacting phishing messages are reported, they will be posted on the Phish Bowl along with a verdict and a date.
If you receive a phishing message that is not on the Phish Bowl or if you would like assistance in determining the legitimacy of a message, please forward the email as an attachment to鈥security@ohio.edu. You can learn how to鈥.
What to do if you clicked a link
If you clicked on a link in a phishing message and entered your OHIO ID and password, you should change your password immediately. If you need assistance changing your password, contact the IT Service Desk at 740-593-1222 or鈥servicedesk@ohio.edu.鈥
Additional phishing resources
Here at OHIO, the Information Security Office provides multiple resources to help identify social engineering and prevent our community from falling victim to scams. Be sure to check out the resources below:
- Our online video,鈥, provides useful information about recognizing phishing emails.
- Learn more about鈥
- Follow these鈥email best practices鈥痶o avoid crafting emails that appear to be phishing.鈥
- Request a鈥simulated phishing鈥痚xercise facilitated by the Information Security Office for your team or department to test their skills around identifying phishing messages.鈥
- Online IT Security Training鈥痶hrough Vector Solutions is free training that teaches the OHIO community tips and tricks on how to spot phishing messages.鈥疶he course titled Cybersecurity Awareness for Educational Leaders: Safeguarding Against Social Engineering Attacks is a great way to learn more about these types of messages. Check out this鈥痮n how to self-enroll.
- 鈥痜or a wide variety of educational resources to learn how to protect yourself, your family, and your devices.