Don't Get Hooked

What is Social Engineering? 

Social engineering is a method used by attackers to manipulate individuals into divulging sensitive information or performing actions that may compromise security. It relies on psychological manipulation rather than just technical exploits. Here's some information about social engineering and tips on how to avoid falling victim to it: 

Types of Social Engineering: 

  • Phishing: Sending emails or messages impersonating legitimate entities to trick individuals into revealing personal information or clicking on malicious links. 
  • Pretexting: Creating a fabricated scenario to gain someone's trust and extract information from them. 
  • Baiting: Offering something enticing, such as a free download, to lure victims into giving up information or downloading malware. 
  • Tailgating: Physically following someone into a restricted area or building by closely trailing behind them.  

Examples of Phishing Attacks: 

  • Email Phishing: 
    • You receive an email that appears to be from your bank, requesting urgent action to update your account information due to a security breach. The email contains a link that directs you to a fake website designed to steal your login credentials when you attempt to enter them. 
  • SMS/Text Message Phishing (Smishing): 
    • You receive a text message claiming to be from a delivery service, informing you that a package is awaiting delivery. The message includes a link to track the package, but clicking on the link leads to a malicious website that attempts to trick you into providing personal information or downloading malware onto your device. 
  • Voice Phishing (Vishing): 
    • You receive a phone call from someone claiming to be from a tech support company, informing you that your computer has been compromised and urgently needs to be fixed. They instruct you to provide remote access to your computer or to install software that gives them access to your system, allowing them to steal sensitive information or install malware. 
  • Credential Harvesting Phishing: 
    • You receive an email purportedly from a popular online service (such as a social media platform or email provider) warning that your account has been compromised and that you need to reset your password immediately. The email contains a link to a fake login page designed to capture your username and password when you attempt to log in. 
  • Business Email Compromise (BEC): 
    • An attacker gains access to an employee's email account through various means (e.g., phishing, malware) and monitors their communications. The attacker then impersonates the employee, sending emails to colleagues or external contacts requesting urgent wire transfers or sensitive information, such as employee payroll data. 

How to Avoid Social Engineering Attacks: 

  • Be Skeptical: Question unexpected requests for personal or sensitive information, especially if they come via email, phone, or online messages. 
  • Verify Requests: Contact the supposed sender through a trusted means of communication (not via the contact details provided in the suspicious message) to confirm the legitimacy of requests for information or actions. 
  • Educate Yourself: Stay informed about common social engineering tactics and train yourself to recognize them. 
  • Use Multi-Factor Authentication (MFA): Columbia has MFA deployed but you can opt to turn on MFA for your personal accounts. This additional layer of security protects against unauthorized access even if credentials are compromised. 
  • Keep Software Updated: Regularly update your operating systems, applications, and security software to patch vulnerabilities that could be exploited by attackers. 
  • Limit Information Exposure: Be cautious about sharing personal or sensitive information online, especially on social media platforms, where it can be used to craft convincing social engineering attacks. 
  • Verify Identities: When dealing with unfamiliar individuals or organizations, verify their identities through independent means before sharing any sensitive information or engaging in transactions. 
  • Report Spam: For detailed steps to report see Report Junk, Spam, Phishing, and Other Unwanted Messages
  • Report Suspicious Activity: If you think you’ve been compromised, contact security@cumc.columbia.edu immediately. 

By staying vigilant, skeptical, and informed, we can significantly reduce the risk of falling victim to social engineering attacks.