Social Engineering
Social engineering attacks are interactions an attacker tailors to what’s important and relevant to you. A scammer might collect information about you from a variety of public sources like social media accounts to use those details to impersonate someone you trust, like your boss or a family member. Social engineering attacks are often leveled at employees of a target organization to gain access to its systems or at individuals to gain their sensitive information. There are 3 general types of attacks that are more and more often being combined: phishing (email), smishing (SMS), and vishing (voice).
Stop. Think. Click.
"Phishing" is a type of social engineering attack when a criminal tries to get you to reveal your username and password by email. Sometimes they may ask for even more personal information such as your address or social security number. You should always be wary of messages that ask for your personal information or messages that refer you to a web page asking for these details.
Messages or websites phishing for information might ask you to enter the following information:
- Usernames and Passwords
- Social Security number
- Bank account numbers
- PINs (Personal Identification Numbers)
- Full credit card numbers
- Your mother’s maiden name
- Your birthday
SCU IT will NEVER ask for your password in an email.
When you receive any email, try to take the following steps to protect your information:
- Stop. You don’t need to respond to this email, download any attachments, or click any links if you don’t feel comfortable doing so.
- Think. Don’t recognize the email address? Are there misspelled words? Are they asking for you to do something right away? Reach out directly to whomever is asking for the information before doing anything. Your financial and personal information is very important, and trustworthy entities want to keep them safe.
- Click. Once you’ve confirmed you’re interacting with a person you’re comfortable with, use secure sites to transfer any important information.
If you are still not sure about an email or think you have responded to a phishing message: please call the Technology Help Desk x5700 (408-554-5700) or visit the Technology Help Desk on the first floor of the Learning Commons.
For more information about social engineering attacks, please visit this CISA page.
Find some phishing examples here.
Smishing (SMS Phishing)
You've probably encountered smishing if you own a mobile device. Phishing via SMS text message is known as "smishing." The scammers are attempting to obtain sensitive information from you, much like in an email phishing attempt.
These messages use emotional triggers to persuade you to click on the links, just like you would receive in an email. Usually, the themes target personal data like your credit card number, national ID, username, and password.
Multiple people have reported recent attempts to impersonate SCU employees via smishing. While Administrators are often impersonated in this type of social engineering scam, others can be impersonated as well, including supervisors, HR staff, and IT help desk staff. These text messages and emails often start with a conversational tone and use your name, such as:
"Hi <your name>, this is <employee being impersonated>. Let me know if you get this message."
If you receive a text message from an unfamiliar phone number or an email from a non-SCU email address from someone claiming to be a SCU employee, please use another method of communication (SCU phone number or email address) to confirm the contact, or reach out to their office. Please report the issue to the Information Security Office at iso@scu.edu.
Other types of smishing scams can include gift card scams. You can find out more about gift card scams from the Federal Trade Commission’s Avoiding & Reporting Gift Card Scams page.