UC Irvine   Office of Information Technology
UCI Information Security

Protect Against Social Engineering

Social Engineering

Social engineering is where deceptive methods are used to reveal sensitive information or to gain access to computer systems. There are several ways social engineering can happen. Listed below are some of the different types of tactics used:

    • Phishing (e-mail)
    • Spear phishing (targeting specific individuals/groups)
    • Smishing (SMS/text message)
    • Vishing (phone calls, voicemail)
    • Clickjacking (a link or element is hidden from the user to trick them into clicking on a link that is different from what they have perceived it to be)
    • Malvertisements (a form of malware injected into legitimate advertisements)
    • Infostealer (a form of malware used to steal sensitive information such as login information, financial information, and personally identifiable information)

 

Phishing

Phishing is one of the most common types of social engineering attempts. Some common signs to watch out for include:

    • Having a false sense of urgency/call to action
    • Misspellings and typos in the body of the email
    • Misspelled or different email address as the sender
    • How to avoid job scams
    • Hovering over a link shows a suspicious or strange link
    • Strange/unexpected attachments

 

If you suspect an email to be a phishing attempt, do not interact with it and delete the message. For more information on phishing please visit the Avoid Phishing page.

 

Smishing

Smishing stands for “SMS phishing” and is a technique that utilizes SMS or text messaging. Attackers will send out a text message to their victims’ cell phone numbers, usually with some sort of message that urges them to act immediately by clicking on a malicious URL included in the message. Sometimes, they will provide a “support” number for you to call, but this fake number puts the victim in contact with the attackers.

Attackers use the following templates:

    • A text message claiming to be from the United States Postal Service (USPS) informing victims that the delivery for a package scheduled to their address could not be completed, and that they must click on a link to confirm their address as well as other sensitive personal information.
    • A text message claiming to be from a company that manages the local toll roads stating the victim’s car passed through the toll road and is overdue on payment. The victim must then click on a link to “verify” payment information such as a credit card number or their banking information.
    • A text message from the “Criminal Investigation Division” of the IRS claiming there is legal pending action of a lawsuit being filed against the victim, and the victim must call the “support” number or else a warrant will be issued to the victim’s local police department for their arrest.

 

To protect against this sort of attack, it is always best practice to stop, read, and think if the message sounds or looks legitimate. Strange looking URLs in the message and an urgent call to action are common smishing techniques. If you are still unsure after taking the time to review the message, look up the confirmed, legitimate support number for the company on their official website and call to verify the message is legitimate. When in doubt, it is always best to ignore and/or delete the smishing message.

 

Vishing

Vishing stands for “voice phishing” and involves an attacker calling a victim via phone to trick them into giving up sensitive information. These calls will usually show up as an unknown number or a number that the victim does not recognize.

Attackers using vishing will pose as bank representatives, tech support, a delivery company, or even as someone from a government agency. As with most other phishing techniques, vishing uses a sense of urgency to make the victim act without thinking. They may say, “you need to confirm your credit card number and security code on the back or else your account will be frozen and your funds forfeited,” or, “we have detected a virus on your computer and you will need to give us your username and password for us to remove the virus.”

Vishing will always involve the attacker asking for sensitive information, so the easiest thing to do when called by a visher is to hang up the phone. It may also be of benefit to block whatever number the visher called from.

 

Clickjacking

Clickjacking is short for “click hijacking” and is a technique used by attackers that tricks the victim into clicking on something that they may not be aware is there. For example, say a victim is searching for a specific product to buy online. They visit a website that talks about the product, and on the website, there is a video that is supposedly about the details of the product. Normally, one would click on the play button, and the video would start playing.

With clickjacking, an attacker will plant or embed a hidden element in the same place as the play button that, when clicked, will do a number of things, including taking the victim to a different, malicious website, downloading malware to the victim’s machine, or give a malicious application permissions to the hard drive. Clickjacking is very tricky to catch because it is often invisible to the victim from a user interface perspective.

To protect against clickjacking, it is best practice to avoid suspicious or shady websites. Users should always think before they click, and web browsers should always be kept up to date for added protection.

 

UCI Job Scam Emails

Watch out for any university/UCI job scam emails. Some of the job scam emails may come from those impersonating fake UCI professors, impersonating legitimate companies, or impersonating professors from other universities. Look out for some of these items for the emails impersonating fake UCI professors:

    • Having a non-UCI email address.
    • The job lists that it will pay weekly. UCI does not pay weekly.
    • The sender’s name is different from the signature of the email.
    • Having other universities hiring remotely for UCI to work at their university.
    • The email sent is an @uci.edu email address, but when you reply back it lists a @gmail.com address.

 

Here are some items to check if the job scam email is impersonating a legitimate company:

    • Check the email address that’s contacting you. The email address will match the company address.
    • Hiring too quickly.
    • Requesting bank account details and/or social security information upfront.
    • The emails could also be vague for the job description and could have poor spelling and grammar.

 

If you suspect your email to be a phishing attempt/fake job scam email, do not engage with the emails or text messages. Do not reply to the sender or send any forms of money over (e.g. gift cards, checks, digital payment, etc.) For more information on job scams, please visit the Avoid Job Scams page.

 

Malvertisement

Malvertisement stands for “malicious advertisement.” We have seen this type of compromise technique affect users at our campus as well as other UC campuses. Attackers know that people often search for and access specific websites via a web browser. For example, if a person wanted to log into their bank account on the web, they might go to Google and search for their bank name, for example “Anteater Credit Union.”

Usually, Google will present the user with a list of results related to “Anteater Credit Union.” However, sometimes at the top of the list of results will be links labeled “sponsored.” This means the link is a paid ad, and sometimes attackers purchase these paid ads and register a fake URL that ultimately directs the user to a fake and malicious website.

Attackers will often make their fake URL sound similar to the legitimate URL. For example, if the legitimate URL for Anteater Credit Union was “anteaterCU.com”, they might make their fake URL something like “anteaterCUbanking.com.” A user who does notice the difference may click on the sponsored result and be presented with what they think is the legitimate login page. They login as they normally would, entering their username and password, and once they hit enter or click on the “login” button, they have just sent their credentials to the attacker, and the attacker now has access to the user’s bank account.

To protect against malvertisement, best practices involve bookmarking known good URLs in your bookmarks folder on your web browser and using your bookmark as your primary way of accessing the site. That way, instead of possibly clicking on a “sponsored” result, you are clicking on a known good URL and being directed to the legitimate website. It is also best practice to be mindful of search engine results before you click on them, keeping an eye out for “sponsored” results that may be fake websites.