The goal of these attacks is to trick the target into performing an action — clicking on a link, sharing credentials or even providing payment in some form — that will allow the hacker to infiltrate the network or profit in some way.
Phishing is a common form of social engineering that has become quite sophisticated.
“Phishing emails used to be filled with a lot of misspellings and poor grammar. Today, phishing can appear to be very real, and in some cases, cybercriminals will actually study the victim so that they can establish a believable pretext,” Sorady says.
How Are Cybercriminals Targeting Victims of Social Engineering?
Because of the additional research cybercriminals conduct on their victims, phishing emails may look much more believable than recipients expect. Scammers may include school-specific information or bait staff with emails that appear to come from principals, superintendents or other K–12 leaders.
And emails aren’t the only form of communication used in social engineering attacks. Phishing via text messages or phone calls — known as smishing or vishing, respectively — are also a threat to school security.
Over 90% of cyber attacks involve some form of social engineering, a manipulation tactic where a hacker exploits human frailty to gain private information – that may be from not having good online #cybersecurity habits to being outright exploited by a malicious actor. (1/2) pic.twitter.com/x8CrNgjECq
— Proton (@ProtonPrivacy) October 12, 2022
Well-researched social engineering attacks also target victims during particularly busy times of the year.
“With K–12, the beginning of the school year or the end of the semester can be chaotic,” Sorady says. This may be when hackers attempt to social engineer someone in a school district, because “people might not be paying as close attention.”
How Can Schools Prevent Social Engineering Attacks?
The best way to protect against social engineering attacks is to train staff to recognize and subvert the threats.
“When you get an email that says your account has been compromised, you’re panicked, and you have this rush of adrenaline and fear. You have a physical reaction to what you just read,” says Dove. “Scammers want you to act in that window in which you’re still under this visceral influence.”
It’s important to train staff and educators not to act impulsively, even when in a heightened emotional state. Train them on the signs of social engineering and what they should do if they believe they’ve received a fraudulent communication, such as alerting the IT department.
Additionally, all staff should be reminded not to put personal information online. This info helps threat actors conduct research on potential victims and craft more believable attacks. School personnel should also use different passwords for each of their online accounts, which will prevent credential stuffing if scammers acquire one of their passwords.
Despite the human element, there are some technologies that can help protect a school from social engineering attacks.
Endpoint protection and spam filters can keep phishing emails from reaching targets, and they can protect a district’s network in the event a user inadvertently clicks a malicious link.
Multifactor authentication is another solution that can protect staff from social engineering.
“If somebody is tricked into giving away their user ID and password, the attacker wouldn’t likely have the multifactor code or the user’s phone to retrieve the password,” Sorady says. “Unfortunately, no technology is perfect, and attackers are finding ways around solutions almost as fast as we can put them in. So, again, users are going to be your last line of defense.”