This is week two of Cyber Security Awareness Month (CSAM), which aims to educate the campus community on ways to better protect themselves and their devices from unauthorized intrusions or cyberattacks. This week we will focus on Social Engineering.  

Social engineering in the context of IT security is “any act that influences a person to take actions that may or may not be in their best interest.” It is often a confidence trick done to obtain access to systems and confidential data that can be part of a bigger scheme. It is still on the rise and is now the number one cause of cyber security breaches. Fraudsters can trick people by playing with their emotions and getting them to act before they think, something people often do in an emotional state. 

Examples include: 

  • Desire to please: Pretending to be your boss or other authority figure and telling you to do something critical, right away.
  • Trust: Pretending to be a close friend or relative. 
  • Fear of scarcity: Saying offers are limited and/or will end soon. 
  • Threats to wellbeing: Pretending that access to a critical resource, such as your bank account or paycheck, is about to be cut off. 
  • Euphoria/Greed/Entitlement: Saying you won something or you are getting a free gift. 

Types of social engineering attacks include: 

  • Phishing: The most common form of social engineering, phishing, uses emails that appear to come from legitimate sources to trick people into providing their information or clicking on malicious links. They frequently employ tricks that put users into an  emotional state that causes them to act without thinking. 
  • Vishing: Uses social engineering over the telephone, sometimes with a rogue interactive voice response (IVR) system, to mimic a legitimate institution and  persuade you to supply your credentials and/or other data. 
  • Smishing: Uses SMS text messaging to get you to divulge information or click on a malicious link. 
  • Spear Phishing: Similar to phishing, but the attacker customizes the email specifically for an individual to make the phish seem more real. They often target key employees with access to critical and/or confidential data.
  • Quid Pro Quo: Pretends to be a service provider and keeps calling people until they find someone who actually requested or needs the service.
  • Baiting: Baiting relies on the greed or curiosity of the victim. For instance, leaving malware-infected flash drives strategically lying around public areas is a common tactic that exploits human curiosity.

Students, staff, and faculty have all suffered losses from the disclosure of personal data and research to unauthorized parties. Knowing what you're up against can help you be more secure. For specific steps that you can take to guard against social engineering attacks, visit security.ucsb.edu.

Sam Horowitz, Chief Information Security Officer (samh@ucsb.edu)

Kip Bates, Associate Chief Information Security Officer (kip.bates@ucsb.edu)

Mirabelle Le, Cybersecurity Awareness Coordinator (mirabellenle@ucsb.edu)