Last week, I posted an article to raise awareness of the challenges of protecting higher education from ransomware attacks. Ransomware is a growing challenge, as the number of attacks and payments per ransom increase in value. Attackers are going after financially viable and easier targets. Universities appear to be among them. There are different ways of launching successful malware and ransomware attacks. Social engineering remains the most frequently used attack vector, with various forms of phishing a frequently used delivery method.
This week, I will reflect on my time in higher education, to offer an insider perspective on what it means to receive various phishing emails. Keep in mind, that the goal of these emails, likely, was not to launch a ransomware attack. Nonetheless, are the social engineering tactics employed the same ones that could be employed to do for malware delivery. It is crucial to remain critically aware of what these tactics are and how they work.
The number of phishing emails any PhD student gets is significant. There are invitations to submit to conferences and journals you have never heard of. Granted, western universities raise awareness among staff to avoid predatory conferences and journals. They protect researchers from publishing in journals without proper quality and legitimacy checks. Such publications would be damaging to theirs and the university’s reputation.
Other emails stand out because they appeal to your ethics, values, or cultural norms. Often these emails are a plea for help from prospective students of the Global South. These claim to be in financial need to secure a spot at the university. Of course, a financial entry barrier can be very real for many people. That’s why universities have grants and scholarships for students from minority backgrounds. These emails hint at ethical and social responsibility to support less privileged individuals. A strong sense of this responsibility exists in many western cultures. It is a good motivator for action that can be exploited for malicious intents.
It doesn’t stop with these broad fishing attempts. Some emails are more targeted towards single individuals (also known as spear fishing). Spear phishing attempts often use personal information from the web to appear legitimate. A common tactic is to exploit power relationships. How likely are you to identify an urgent request from your supervisor as phishing? This took me a moment. The attacker impersonated my supervisor, asking me to buy a bunch of gift cards. These were allegedly needed for a conference or a research meeting. At first, the request might sound odd but not entirely unreasonable. A closer look revealed a spoofed email address.
Whether you are a PhD student or an employee at a company. You will be part of a hierarchical structure. This means, power imbalances are designed into your organizational structure. In this structure, it matters to you that your boss considers you a valuable employee. After all, your professional career is in their hands. If a request seems unusual, take a closer look. Ask yourself whether what you are been asked to do is in line with company policy or seems highly irregular. If you normally (following standard policy and procedure) wouldn’t do what you are asked for, don’t do it.
Digital communication accelerates and simplifies business and social life without any doubt. Gauging a communication partner’s true intention over text or email is hard. Non-verbal tells and situational context are simply lacking. Written digital communication forces us to contextualize information in light of experiences. Evaluating the authenticity of a message is a very different challenge altogether.
The little anecdotes illustrate, the floodgates for social engineering are open. People with malicious intent manipulate others to perform actions that benefit them. What can you do?
- Remain self-aware of your own biases and inclinations.
- Remain critical and doubtful of the authenticity of any messages.
- Stop and investigate if things strike you as odd. Don’t reply to the email.
- Report the attempt to your organization’s infosec or IT department.
Plenty of resources and recommendations to educate yourself further are available online.