Cybersecurity

Awareness

Think Before You Click

Most cyber attacks start with people, not computers. Con-artists have been around long before email and social media, and now they have faster, more scalable tools to exploit trust.

Social engineering tricks people into sharing passwords, clicking malicious links, or bypassing normal procedures. Once attackers gain access, they can move laterally into systems you use, potentially accessing sensitive information or sending messages in your name.

Cybercrime exists across two primary attack surfaces:

Technical: System-Level Threats; vulnerabilities in software, networks, and systems.
This is what most people think of when they of when discussing cybersecurity. It is the protection of computers by firewalls, routers, passwords and more; and usually left to the IT professionals.
Human: Trust-Level Threats; vulnerabilities in attention, trust, urgency, and authority perception.
This is usually the starting point. This is the area of social engineering, scams, ID theft, phishing, deception and fraud.
This is where you come in.

Contrary to popular belief, most successful compromises begin with human interaction rather than a purely technical failure. Deception and fraud long predate computers. Email, text messaging, and social media simply give bad actors faster, more scalable tools to exploit trust.

Social engineering is the deliberate manipulation of trust to persuade someone to take an action they would not normally take; such as revealing credentials, approving a transaction, or granting access. Similar persuasion techniques are used legitimately in sales and politics, but in cybersecurity the term refers to deceptive practices such as phishing and spear phishing.

Keep these principles in mind:

Legitimate companies and support technicians will never ask for your password.
Passwords should only be entered on official authentication pages.
Never submit a password through email, text message, or online forms such as Google Forms.
Don't provide your MFA passcode to anyone via text or on the phone.
If a message creates urgency or pressure, pause and verify through a trusted channel.

Cybersecurity depends on both hardened systems and informed users. Technology can block many threats, but informed judgment is often the first and most effective line of defense.

Social Engineering Red Flags

Cybersecurity company KnowBe4 has some great articles about social engineering. Take a look at their comprehensive What is Social Engineering page for a detailed look at the subject.

Social engineering can be found in:

email - phishing and spear phishing
phone calls/voice mail - vishing
text messages - smishing
face-to-face - yes, some people still do things the old-fashioned way

Here are some things to look for

Urgent language

Most attempts to get you to hand over your money or personal information include some kind of urgent language to get you to comply.

Warnings of consequences

We all want to avoid inconveniences or problems, so the use of some kind of consequence for non-compliance is used.

Too Good To be True

Offers that just seem too good to be true are almost always scams. The classic Nigerian prince who will share part of his fortune with you if you just help him hide it for a while does not exist. The latest schemes involve high pay/low work jobs. Be careful, these are often sent from a trusted source that was compromised.

These scams often involve you providing your banking information or even "seed" money to get things going, and promise a windfall to come.

Short time-frame for action

Most scams include a warning to "act now" to avoid the consequence or penalty. This is to reduce your time to think about what you are doing.

Asking for Information

When someone contacts you claiming to be from a service provider, business or other entity and asks for information that they should already know -- like your account number or Social Security number -- or something that they have no business knowing -- like your account password or other personal information -- it is a good bet that they are not who they say they are.

Verifying Passwords

You should never have to verify your password. That would be like verifying your house key; you do that every time you unlock your door. Every time you log in, you are "verifying" your password. When someone asks you to verify your password in a place that is not the normal login area, they probably want to steal it.

The HCC Help Desk will never ask you to verify your password or have you type it in a Google Form.

Mobile Phone Attacks

Do not think that you are safe from attacks just because you are using a mobile phone. Smartphones are mini computers, and like any other computer, susceptible to hacks. It is less likely, though, that the phone itself will be compromised, but rather be used as a way to get an unsuspecting user to give out information to a social engineer.

In addition, connecting to a compromised wireless (Wi-Fi) network can allow a bad actor to intercept your information.

Page updated

Report abuse