NCSAM 2020 - I put a spell on you, and now you’re mine
When people talk information security, they picture something over-the-top. Many see in their mind’s eye extreme cases of “hacking the mainframe” or other feats of technological prowess that you might see in thriller or heist movies. But often, the easiest and most effective way for a bad actor to get access to your information and devices is through the process of “social engineering.”
Social engineering is the manipulation of individuals so as to make them willingly give up access to their accounts and systems; it’s meant to leverage the user to make an attack. You may have heard the term “phishing” before. It can come in the form of emails, phone calls or social media messages, and often offers too-good-to-be-true deals (free iPhone!) or threatens fake legal action (the IRS will arrest you if you do not send money now!).
But some attackers take things a step further with “spear phishing,” which targets specific individuals with details that look legitimate. A spear phishing scam can appear as an email, apparently, from a colleague. But if you look closely, you may notice that the email address is in fact not from an @asu.edu account, but an “@asu1.edu” one. Always be sure to verify the identity of the sender by at least looking at the sender, and reach out separately to people if the message is suspicious.
Another example of social engineering is less direct. Bad actors will attempt to sneak their way into accounts by gleaning information from social media posts and information. Be careful in oversharing on social media, including answers to common security questions like “what is your pet’s name?” A good rule of thumb is to avoid “personally identifiable information” (PII) that could give insight into common inspiration for passwords.
Remember that ASU will never send emails asking you for your password or login information, and most other organizations and companies will either. Be alert and use your common sense in parsing through social engineering and phishing attempts: if it looks too good to be true, or too extreme a demand to be realistic, avoid it!
Make sure to follow UTO on Twitter @ASU_UTO.