Resources & Information for EKU Faculty, Staff, and Students

EKU Logo
EKU Logo
eku.edu OneLogin Search

Social Engineering

This guide will give you some basic information to help you identify and avoid Social Engineering attacks.

What is Social Engineering?

Social engineering is the art of manipulating people into giving up confidential information or access to restricted areas. Their attacks can come through emails, text messages, over the phone, via social media, in person, and more.  Someone launching a social engineering attack won’t ask one person for the entire information they need.  Instead, they will gather a lot of seemingly harmless information from many sources and use it to look legitimate.

Examples of Common Social Engineering Attacks

  • Acting forgetful (e.g., “I forgot my key, can you let me in this once?”)
  • Playing to your sense of compassion (e.g., “I need this information to finish my work, my boss is going to fire me if I don’t”)
  • Leveraging empathy (e.g., “Today is about to kill me…the stress!  I just need someone to let me use their computer to print a document real quick”)
  • Acting with authority (e.g., “I am here from IT to install some new software for you.”)
  • Threatening you or others (e.g., “I am here from IT to audit your department’s desktops.  I’m going to tell your supervisor you wouldn’t help me.”)
  • Offering an incentive or reward (e.g., “I’ll buy you coffee if you help me out this one time.”)

Best Practices to Avoid Social Engineering

Understand Common Plays and Scams Used by Social Engineers

Understanding how social engineering attacks work can help you to identify and stop them.  Social Engineering normally requires a chain of increased access, where attackers gain more information at each stage that makes them more credible to each new person they communicate with.  Catching these attacks early can break this chain of access and stop these attacks.  When communicating with someone not known to you, be sure to consider how information you provide might be misused.

Always Follow Policies and Procedures

Anyone with a legitimate claim to information or access to machines or areas should never be upset with you when you adhere to policies and procedures.  If a situation makes you feel uncomfortable, reach out to others.

While there are a number of university policies to follow, never share your password or enter your password for another person, leave your computer unlocked or unattended, allow someone entrance into buildings or rooms restricted by a key or keypad access, etc.

Verify Information Using Official Sources

Someone launching a social engineering attack will often have conducted thorough research, collecting information from a number of sources to avoid suspicion, and will have fake resources created to help strengthen the attack.

For example, someone claiming to be from a credit card company or phone company may set up a fake phone number and tell you to contact the number to verify their identity.  Instead of relying on information given to you by someone you don’t know, locate the company’s legitimate phone number to verify the person’s claim.