March/April: Guard Against Social Engineering: the Ever-Evolving Threat

What is social engineering?

Any effort to trick users into providing confidential information is called Social Engineering. Social engineers rely on people, rather than computer security holes, to obtain sensitive information via e-mail, Internet, or phone.

Social engineering includes an ever-changing range of scams, from sending viruses a few years ago to more recent phishing e-mails. As the public and the legal system become more aware of a particular scam, social engineers find new ways to trick users.

Recently, social engineers use scams including phishing, spoofing and pharming. In these cases, scammers create a familiar context to make requests for personal information seem legitimate. One phishing attempt uses the Northwestern logo and impersonates University staff members to try to get users to give up passwords and other information.

Northwestern University Information Technology's (NUIT) E-mail Defense System (EDS) will catch many of these scam e-mails and place them in quarantine. If a social engineering attempt makes it to your inbox, protect yourself by maintaining firewall settings and up-to-date antivirus and anti-spyware software. Most importantly, be skeptical of messages that don't seem quite right, keep passwords/passphrases secret, and check the legitimacy of any requests for information.

Federal and local legislation, as well as lawsuits by Microsoft and AOL, aim to stop known social engineers and prevent future scams. In the meantime, the best protection is awareness.

What should be protected and why?

• Your NetID and password/passphrase - Protect the NU Network from hackers to ensure the integrity of personal and academic data, and the optimal functionality of the NU Network.

• All passwords and account numbers - Protect personal information and financial data against theft, impersonation, or misuse.

• Social security number - Protect against identity theft.

What do social engineering scams look like?

• Phishing e-mail comes from what looks to be a legitimate third party, using familiar logos and colors. The "from" field may include a familiar address. In the message, links may appear to direct to the third party's Web site, but will really direct to a spoof Web site. A common phishing message uses University logos and colors, is signed from "University Administration" and requests personal information. Learn how to protect your e-mail from many phishing junk e-mails on NUIT's E-mail Defense System Web site.

• Pharming techniques are more difficult to spot. Pharmers send e-mails containing viruses that redirect your browser to a fake Web site when you think you have navigated to a legitimate site. The spoof site then requests login or account information. By first planting virus seeds, pharmers later harvest sensitive information. Learn how to protect your computer on the NUIT Spyware Treatment & Prevention Web site.

• Another form of pharming is even more difficult to detect. Every Web site has an alphanumeric name that resides at a numeric address on the Internet. Pharmers can change the real site address to a fake site address without user awareness.

Protect Against Social Engineering

• DO have a security mindset. Always be skeptical of unfamiliar sites and links, suspicious e-mail and IM messages, and any unprompted requests for personal information.

• DO protect information. Keep your NetID password/passphrase secret and be skeptical of any requests for personal information.

• DO use IM safely. Social engineers can send scams via IM, so block IM attachments and filter IM traffic to only receive messages from trusted sites.

• DO browse Web sites safely. Look for "https://" in the address of any site which you enter personal information; this indicates a secure connection.

• DON'T click on links directly from e-mails. Open a new browser and type the address yourself.

• DON'T reply to phishing e-mails. Never reply to phone calls, e-mail, or pop-up messages asking for personal or financial information, and be skeptical of messages from organizations you do business with.

• DON'T let security software lapse. Maintain up-to-date antivirus and anti-spyware software, and keep firewall settings active.

If You Suspect You Are a Victim of Social Engineering:

• File a report with the local police department. To report incidents on campus, call University Police (UP) at extension 456 from any campus phone. From outside the University, call UP at 847-491-3456 (Evanston) or 312-503-3456 (Chicago).

• Visit the FTC's Identity Theft Web site to get information about contacting credit bureaus, closing accounts, and filing complaints.