Phishing and Social Engineering
Q: What is social engineering?
A: In a social engineering attack, an attacker would use human interaction (social skills) to obtain information about your or UNC that they could use in identity theft or to harm UNC or its computer systems. An attacker may seem unassuming and respectable, possibly claiming to be a student in one of your classes, an employee, repair person, or professor. However, by asking questions, he or she may be able to piece together enough information to steal your identity or to infiltrate UNC’s network. If an attacker is not able to gather enough information from one source, he or she may contact another source within UNC and rely on the information from the first source to add to his or her credibility.
Q: How do I protect myself and UNC against a social engineering attack?
- If you ever suspect you may be involved with a social engineering attack, refer the individual to the UNC PD to assist the person.
- Do not give sensitive information to anyone unless you are sure that they are indeed who they claim to be and that they should have access to the information.
- Be suspicious of unsolicited phone calls, visits, or email messages from individuals asking about students, employees, or other internal information. If an unknown individual claims to be from a legitimate organization, try to verify his or her identity directly with the company.
- Do not provide personal information or information about yourself or UNC, including its structure or networks, unless you are certain of a person's authority to have the information.
Q: What is phishing?
A: Phishing is a form of social engineering. Phishing attacks use email or malicious websites to solicit personal information by posing as a trustworthy organization. For example, an attacker may send email seemingly from a reputable credit card company or financial institution that requests account information, often suggesting that there is a problem. When users respond with the requested information, attackers can use it to gain access to the accounts. Phishing attacks may also appear to come from other types of organizations, such as charities. Attackers often take advantage of current events and certain times of the year, such as:
- Natural disasters (e.g. Hurricane Katrina, Indonesian tsunami)
- Epidemics and health scares (e.g.,H1N1)
- Tax season
- Economic concerns (e.g., IRS scams)
- Major political elections
- Death of high profile person
Q: How can I protect myself from receiving phishing attempts?
- Install and maintain anti‐virus program, an anti-malware program, and a personal firewall for your computer. Students can download Symantec Endpoint or Microsoft Security Essentials for free via URSA which contains all three of these critical components.
- Take advantage of any anti‐phishing features offered by your email program and web browser.
- Mark suspicious items as SPAM or JUNK within your email program.
Q: How would I spot a phishing scam?
A: Look for the following:
- Generic email greeting-A typical phishing email will have a generic greeting, such as “Dear User.”
- False sense of urgency-“Your account will be disabled if it’s not updated within three (3) business days!”
- Fake Links-Many phishing emails have a link that looks valid, but sends you to a fraudulent site. Example: www.secure-paypal.com
- Attachments- Similar to fake links, attachments can be used in phishing emails and are dangerous.
- Sender’s email address-The “From” line may include an official-looking email address that may actually be copied from a genuine one. However, the email address can easily be altered – it’s not an indication of the validity of any email communication.
- Poor English or misspellings – “You want hamblurger I know god place?”
- Deceptive URLs-Examples:
- http://220.127.116.11/pp/update.htm?= https://www.paypal.com/=cmd_login_access
Q: How do I know if a website is secure?
A: There are 2 things to look for to know if a website is secure:
- Look at the website address. https:// means the site is secure. If it only has http://, that is not secure. Don’t enter any personal information on a website (including username and password) if the site is not secure. Even if it is a secure site make sure it is the correct site. https://www.westealpasswords.com would probably not be a good place to go.
- If there is a secure lock icon in the status bar at the bottom right-hand corner of the browser window, the site is secure. Many fake sites will put this icon inside the main window to deceive you.
Q: But what if the email is genuine?
A: If you feel the email is valid but are not sure, the best thing to do is to open a new browser window and type the address of the website you trust in manually. Only do this if you have good reason to believe that the email is legitimate.
Q: What if the email has an attachment?
A: Avoid clicking on email attachments whenever possible, especially if you don’t know the sender! It could cause you to download spyware or a virus.
Q: What if I responded to a phishing attempt?
- Immediately change any passwords you might have revealed. If you used the same password for multiple resources, make sure to change it for each account, and do not use that password in the future.
- If you believe your financial accounts may be compromised, contact your financial institution immediately and close any accounts that may have been compromised. Watch for any unexplainable charges to your account.
- Keep a close watch on your credit reports available from Experian, Equifax, and TransUnion to identify any potential incorrect, unknown, or malicious activity.
Q: Is there somewhere I can go to see if I would be able to spot a phishing scam before it happens to me?
A: Yes! Test yourself with this fun interactive game from OnGaurd.
Q: Will Microsoft Tech Support call me because I have a virus or my computer is slow?
UNC’s Information Security Team has been notified that there is a company posing as Microsoft Support saying that your PC has a virus or is running slow and that they would like to help. The support person then wants to get access to your computer via a remote meeting. At this point they want to install software on your computer and may offer to sell you an Antivirus program.
What they are really doing is attempting to Phish you or use Social Engineering to gain access to your credit cards and bank accounts.
If someone claiming to be from Microsoft tech support calls you:
- Do not purchase any software or services.
- Never give control of your computer to a third party unless you can confirm that it is a legitimate representative of a computer support team with whom you are already a customer.
- Please take the caller's information down and immediately report it to your local authorities.
- Never provide your credit card or financial information to someone claiming to be from Microsoft tech support.
See more info from Microsoft on this subject at: http://www.microsoft.com/security/online-privacy/avoid-phone-scams.aspx.