Are your endusers vulnerable to social engineering? The scammers are counting on it.
You’ve gone to great lengths to protect your school network with firewalls, filters, and anti-virus software. But you’ve still got a weak link (or hundreds). It’s called your end-user. Any one of staff members or students could fall for a social-engineering scam that devastates your entire system.
Hackers are increasingly clever and sophisticated as they “socially engineer” their victims into taking some sort of bait. Within seconds, an unsuspecting “sucker” may have revealed his or her confidential information—passwords, credit card information, bank account details, and so forth—or inadvertently released malware.
Preying on people’s fear, gullibility, harried states, and even greed, social engineers find it easier to trick human beings then to try to hack their way into a computer or network. It’s a lucrative business that’s gaining traction.
How can people be so naïve as to fall for these scams?
Because they look legitimate. Bogus emails appear to come from a trusted friend or colleague or a reputable company—like a bank, credit-card company, or government organization—with an urgent message to click a link or open an attachment. “Business” emails often feature logos, privacy statements, and other elements that give the message credibility.
Exploiting the recipient’s trust and curiosity, these messages may:
- Ask the reader to verify his or her username and password on a phony (albeit authentic-looking) bank or credit card site.
- Pose as the IRS and demand money for “back taxes,” with threats of imprisonment if not paid.
- Invite the user to open the “attached invoice” to review an order.
- Claim a “FedEx” package was undeliverable and request that the attachment be opened to “print a shipping label” (we get these frequently at K12USA).
- Contain an urgent appeal from a person of authority—e.g., the school principal or IT director—that an important attachment be opened or new software be updated.
- Contain offers from “Microsoft,” “Dell,” or other reputable company to fix computer problems.
- Require a court appearance—just click the link to view the court notice.
The list goes on. Cybercriminals are tenacious and imaginative, and there are thousands of variations of social-engineering hoaxes out there.
Your best weapon? Educate and train your end-users—at least twice a year.
- Show them examples of social-engineering attacks.
- Caution them to take their time—don’t hastily click on links or downloads before confirming the source, even if the message sounds scary and urgent.
- Advise them to be on high alert for:
- Unsolicited messages—even those from trustworthy companies. Instead of clicking on links, visit the company’s website in a separate window.
- Requests for financial information, login credentials, Social Security number, or other personal data. No legitimate organization will solicit this info via email, text, or phone (unless the customer initiates communication).
- Attachments! Unless the reader is 100 percent sure the attachment is legitimate and safe, he/she should not open it. It’s good practice to contact the sender to confirm the email’s genesis.
- Offers from “Microsoft,” “Dell,” and other tech companies to update your software, speed up your computer, resolve issues, etc.
- Foreign solicitations announcing you won the lottery, inherited money, and so forth.
- Phone calls, IMs, text messages, and other forms of communication that require divulging personal info or paying money.