Skip to main content Skip to navigation

Scammers targeting Warwick: Social Engineering

In light of cybercriminals targeting Warwick staff, IDC have prepared guidance on social engineering, the methods used by scammers and how to defend against them.

The IDC team will also be hosting a Windows on Warwick session on the subject on the 24th April, 28th of May and 25th of June 2019. Signup is available here: https://warwick.ac.uk/services/ldc/development/wow/phishing

Social engineering is about manipulating individuals so they give up confidential information. The types of information being sought by scammers varies, but when people are targeted they are usually tricked into giving up their passwords, personal data or bank information and or access to their computer via the installation of malicious software.

Criminals use social engineering tactics because it is usually easier for them to misuse trust than it is to discover ways to hack software e.g. it is much easier to fool someone into giving out their password than it is to try hacking their password (unless the password is not strong).

The following guidance aims to raise awareness of social engineering by providing examples and types of methods used by scammers and tips on how to defend against them.

Examples of Social Engineering

Contact from a friend

Scammers gain access to an email account and send messages to their contacts e.g. a friend’s email account may be compromised so you may receive scam messages from them. The scammers may get you to click a link or download an attachment in order to take control of your account, inject malicious software or steal data.

Contact from a trusted source

A form of phishing involves scammers pretending to be trusted sources like banks, tech companies or your place of work. They will try and steal your login credentials or other sensitive data or inject malicious software. It is common for scammers to mimic University staff.

Answering your unasked questions

These attempts rely on trusted authority and involve the scammer posing as a well-known organisation. They might claim to be responding to your request to fix a problem e.g. they may claim to be from Microsoft and want to take control of your machine to remove a virus.

Creating distrust

Perpetrators of this may include people you know personally. They will gain access to other’s accounts (like email or social media) and use them to spread lies and incriminating information through messages, doctored images etc. Their goal is either extortion or reputational damage.

Trust and Authority

Scammers will appear to come from legitimate sources or people you know.

Urgency

They will present scenarios that need you to act as soon as possible to make you panic and not stop to think.

Generosity

You may be exploited by requests for charitable donations in response to a distressing story.

Verification

Fake log-in screens or stories which involve you needing to verify yourself are used to harvest log in credentials and other data.

Temptation

Scammers might tell you you’ve won a valuable prize, tempting you to take the risk and hand over data or control to claim it.

Types of Social Engineering

Contact IT helpdesk or IDC immediately if you feel you are being targeted by scammers. Follow the advice below to avoid falling victim.

Name

Method

Defence

Phishing

Typically involves the sending of emails to multiple recipients usually to get victims to click links and reply with information.

Don’t reply or click on links you are unsure of. Check company emails on official websites, protect your devices with anti-virus software and apply strong spam filters in your email settings.

Spear-phishing

Targeted at you specifically and will use information about you to sound more convincing. An example of this is where scammers pretend to be management staff and ask you for data or money.

If they claim to be a person you know, contact that person by other means to verify the request.

Whaling

These are spear-phishing attempts aimed at senior individuals in an institution. Scammers will put more effort into these as there is a greater potential pay-out.

If you are a senior (higher grade) University member, be wary that you may be subject to this.

Shared Document phishing

These are fake messages claiming that a document has been shared with you.

Do not click suspicious links or download files you are not expecting to receive.

Vishing

Vishing is short for ‘voice-phishing’. It involves scammers calling their targeted individuals on the phone to convince them to part with confidential information.

Be suspicious of unknown numbers and unsolicited calls. Do not agree to hand over sensitive data or install software on your device on the advice of people who call you. If they claim to be from a legitimate source, find contact information from an official website and call them back.

SMShing/Smishing

SMShing or smishing both refer to phishing attempts sent via text. The same principals for other phishing attacks apply.

Google numbers to see if they are official or if someone has posted on forums about them being scams. Don’t click suspicious links or reply to texts you suspect are SMShing attempts

Social Media Phishing

Scammers utilise social media. They may create fake profiles that look real, exploit existing profiles and use your publicly available information to trick you.

Be wary of unsolicited messages. Do not click links that look suspicious or come from strangers.

 

The IDC team will also be hosting a Windows on Warwick session on the subject on the 24th April 2019. Signup is available here: https://warwick.ac.uk/services/ldc/development/wow/phishing

 

All Warwick staff must ensure that they have completed their mandatory GDPR and Information Security training courses. These will provide further guidance on how to defend against these scams and best practice for all other information security and personal data related issues.