Cyber Security Awareness Month: Social Engineering and Protecting Your Identity
LEXINGTON, Ky. (Oct. 4, 2017) — University of Kentucky Information Technology Services is providing tips and advice throughout Cyber Security Awareness Month. Below is the first in a series of stories, focused on identity protection.
Social engineering is the process of retrieving/obtaining personally identifiable information (PII) for fraudulent means, typically through manipulation (e.g., phishing, spear phishing). Social engineering attacks have existed for over a decade during which time a large industry centered on PII theft has thrived. Over the past three years more than 250 million confidential business records were reported lost or stolen. Here are some quick tips to help keep your PII safe:
- Be social media aware. When people post to social media or access their email accounts they tend to believe that they’re in control of their information. However, PII is very often present on social media and within the email account that you utilize every day.
- Every time you step away for a meeting or even a short walk, locking your computer screen can help keep you safe. When you leave your computer unattended without locking your screen, you put information that is specific to you — along with the information of everyone you are in contact with — at risk.
- Create strong passwords. Strong passwords usually contain:
- more than eight characters;
- at least one number;
- upper and lowercase letters; and
- at least one special character (!,*,?).
- Create unique passwords for every online account.
- Connect to a secure network. While on campus, stay connected to the eduroam WiFi network.
Phishing emails are messages that ask for personal information such as social security numbers, phone numbers and account login credentials. Cyber criminals send these messages to large groups of people with the hope that a few responses are returned. Spear phishing attacks are written and tailored to a more defined group of people using information that pertains directly to the recipients. The elements of a spear phishing attack are often gathered from social media accounts, public resumes (including LinkedIn) and other sources.
Learning to avoid phishing emails and identify “phishy” websites is a skill that will help protect your personal information. Here are some tips for spotting phony emails:
- Email from someone you don’t know or haven’t done business with recently or ever.
- The sender’s email has an unusual ending (e.g. “.xyz”).
- Spelling errors or poor grammar.
- Strong encouragement to open a link or submit personal information with a threat of losing certain services.
- Suggests the likelihood of aggressive legal ramifications.
- A strong sense of urgency is emphasized.
- The email does not contain your name but simply refers to you as “Account Holder” or “Customer.”
If you question whether a message you receive is credible, ignore the message or ask the sender to verify that they sent the message in a separate email. Another best practice is to send questionable emails to Information Technology Services (ITS) for review at IsThisEmailSafe@uky.edu.
For additional questions, please contact Security@uky.edu.