Cybercriminals are constantly evolving their tactics, and social engineering remains one of the most effective ways to exploit human behavior. At Ohio University, protecting personal and institutional data is a shared responsibility. This guide will help you recognize common social engineering attacks, especially those delivered via email, and show you how to report them effectively.
What is social engineering?
Social engineering is a manipulation technique used by cyber threat actors to trick victims into providing sensitive information or performing actions that compromise security. These attacks can occur through the following ways:
- Email & text messages
- Phone calls
- Websites or ads
- In-person interactions
The objectives of social engineering include stealing credentials, installing malware, gaining unauthorized access to systems, and receiving money or other resources for fraudulent purposes.
Common social engineering attacks at Ohio University
Phishingis the top social engineering attack on businesses, responsible for more than 90% of security breaches. Phishing occurs when a bad actor sends fraudulent emails, text messages, or Teams messages to convince you to disclose sensitive information through your replies or by clicking on links.
Vishing, or voice phishing, involves social engineering over the phone. A bad actor may pretend to be a trusted source to seek sensitive information, such as:
- Your username and password
- Multi-factor authentication code
- Banking or personal information
If you are unsure about a caller’s identity, hang up and call back using verified contact information.
Baitingis a social engineering attack in which a bad actor “baits” an individual to perform an action, such as installing malware on a device or sharing personal information, through malicious web advertisements. This will launch a fake pop-up message that may include the following:
- Loud noises
- Flashing phone number
- Urgent message claiming the device is infected
Calling the phone number often leads to financial fraud or data theft. The bad actor will ask for money for performing their “service” or they will attempt to access the device by having the victim install screen sharing software, which leads to accessing personal information or installing actual malware.
Identifying malicious messages
Here are some characteristics of a phishing message that will help you identify malicious emails:
- Unsolicited. Be cautious of emails that you were not expecting to receive.
- Often, unsolicited emails are from senders outside of the university. At OHIO, emails originating from external senders will have an “External” tag in the subject line and contain a light-yellow band at the top of the message that reads: use caution with links and attachments.
- Too good to be true. If it sounds too good to be true, it probably is. Part-time job scams often offer to pay an exorbitant amount of money for a simple task.
- Asking for personal or financial information. Report emails asking for personal information. For example: the IT department would never email you with a link requesting you provide your university credentials to keep your account active.
- Deceptive web links. Hover your mouse on the hyperlink to view its true destination. If you don't recognize it, don't click it.
- Variations of legitimate addresses. For example, an email address ending in @ohio-edu.org instead of @ohio.edu.
- Fake senders address. Click the sender's name to view the email address, if the email address is not something you recognize from the alleged sender, proceed with caution.
- Requesting urgency. The intention of urgency is to influence users to act quickly to prevent them from noticing suspicious elements.
- Fraudulent sites often don't start with HTTPS. The "s" stands for secure. Never sign into websites that are not using HTTPS.
- Misspelled words and bad grammar. Historically phishing emails often contained misspellings and grammar issues, however with the development of artificial intelligence phishing messages are much harder to spot using this indicator.
Reporting phishing at OHIO
The Phish Bowl is a tool designed to promote phishing awareness by documenting campus-wide phishing messages that are reported to the Information Security Office. As widely impacting phishing messages are reported, they will be posted on the Phish Bowl along with a verdict and a date.
If you receive a phishing message that is not on the Phish Bowl or if you would like assistance in determining the legitimacy of a message, please forward the email as an attachment to security@ohio.edu . You can learn how to forward as an attachment here .
What to do if you clicked a link
If you clicked on a link in a phishing message and entered your OHIO ID and password, you should change your password immediately. If you need assistance changing your password, contact the IT Service Desk at 740-593-1222 or servicedesk@ohio.edu .
Additional phishing resources
Here at OHIO, the Information Security Office provides multiple resources to help identify social engineering and prevent our community from falling victim to scams. Be sure to check out the resources below:
- Our online video, Spot the Signs of Phishing , provides useful information about recognizing phishing emails.
- Learn more about Identifying OHIO's Official Microsoft Login Page URL
- Follow these email best practices to avoid crafting emails that appear to be phishing.
- Request a simulated phishing exercise facilitated by the Information Security Office for your team or department to test their skills around identifying phishing messages.
- Online IT Security Training through Vector Solutions is free training that teaches the OHIO community tips and tricks on how to spot phishing messages. The course titled Cybersecurity Awareness for Educational Leaders: Safeguarding Against Social Engineering Attacks is a great way to learn more about these types of messages. Check out this Knowlege Base article on how to self-enroll.
- Visit StaySafeOnline for a wide variety of educational resources to learn how to protect yourself, your family, and your devices.