Hollywood has conditioned us to believe that hacking is a thrilling, high-stakes crime full of frenzied typing, loud sirens, and – for some reason – yelling (so much yelling). Who can forget the infamous NCIS episode involving Abby’s computer being hacked, and the very effective method of not one, but two characters pounding on a keyboard to thwart said hacking? (It is truly Emmy Award-winning material.)
In real life, however, hacking is typically far less dramatic and can be done in much simpler ways, without even using software. We have so much personal information online that hackers can use this to gain confidential information about you easily.
Social Engineering: Low-Tech Hacking
Social engineering is the art of gaining access to buildings, systems, or data by exploiting human psychology. A hacker could try to gain access to data by finding a system flaw, but it’s much easier to contact an employee, pose as an IT technician, and get that employee to provide their password.
And how do these social engineers even find out where you work? Hackers take advantage of sources like LinkedIn, social media accounts, and company websites to learn all about you, and then call or send a phishing campaign to extract information, like financial and personal data.
How to prevent social engineering scams
We’re not suggesting you shut down your LinkedIn account! However, there are certain things you can look out for to circumvent social engineers:
- Be mindful of any communication pushing you to make a quick decision: URGENT! YOUR ACCOUNT WILL BE CLOSED! These are statements that can push you to act without thinking of the consequences. One example we frequently see is phishing emails from hackers posing as a support technician claiming your email account will be closed unless you log into an ITS site. The corresponding site, which is a fake WCM site, then collects your login credentials. If an email ever looks suspicious, you should forward it as an attachment to spam@med.cornell.edu for further investigation.
- Never give your password to anyone. This goes for any accounts, but at WCM, ITS will never ask for your password, and you should never provide it to anyone. Maintain strong passphrases, as mentioned in a previous tip.
- Do your own factchecking. If you receive a call claiming to be from your bank, asking for your account details, you can always go to your bank’s website, look for their customer service number, and call back to verify whether there’s an issue with your account. Social engineers may have access to a wealth of information, but so do you. Do your research before taking any rash actions.
The most important thing to remember is that social engineers will use information about you to gain your trust. You should always be suspicious of unsolicited emails, texts, phone calls, and even physical mail phishing for more details about you. Additional information on phishing scams can be found on our website at phish.weill.cornell.edu.
October is National Cyber Security Awareness Month, an annual collaborative effort between government and industry to ensure we have the resources you need to maintain your security online. Throughout October, we’ll be sending you tips on protecting your information and avoiding malicious attempts to extract your personal data. See our past tips here.