Hacking humans: Protect yourself against social engineering attacks 

June 28, 2022  //  FOUND IN: Updates & Resources

Current cybersafety public intelligence suggests that social engineering attempts for health system staff in critical care areas (e.g., emergency department, intensive care units, operating rooms, etc.) are particularly high in our nation at the moment.

Social engineering is the use of deception and manipulation to coerce unsuspecting victims into divulging personal, sensitive and/or confidential information.

While all of us have our own particular information we want kept private (e.g., bank accounts, garage door codes, etc.), a great deal of critical care employees also have access to highly sensitive data, along with IT and life-saving systems.

Understanding how to Protect Institutional Sensitive Data and IT/life-saving systems is imperative to ensuring we protect our patients, workforce and institution.

Example social engineering exploitation vectors: 

  • Phishing

By far the most prevalent vector of cyberattacks to date is phishing: the fraudulent practice of sending emails or text messages, which appear to come from a reputable source. They are often aimed at creating a sense of urgency, curiosity or fear in victims to lure them into revealing sensitive information, clicking on links to malicious websites, or opening attachments that contain malware.

  • Scareware

This is a tactic that bombards victims with false IT alarms and fictitious threats. Users are deceived into thinking their system is infected with malware and are instructed to install software that has no real benefit (other than for the perpetrator); the software is sometimes malware itself. Scareware is also referred to as “deception software” or “rogue scanner software.”

  • Pretexting

An attacker pretends to contact victims for something innocent, to establish a conversation and build a friendly relationship through a series of cleverly-crafted lies. The attacker often impersonates coworkers, police, bank and tax officials, or other persons who have right-to-know authority and would seem like a trustworthy source.

  • Baiting

As the name implies, attackers bait victims into doing something unsafe by exploiting their curiosities (e.g., attackers leave an infected USB stick labeled “secret team bonuses” lying out on it the break room). If the victims take the bait and insert it into a work or home computer, malware can be automatically delivered to the system.

  • Tailgating

A social engineering trick that involves simply following an authorized person into a restricted area. These tailgaters are good at looking relaxed and as “belonging” as possible. They may even go so far as be holding an arm full of office items — or use small talk as a way to detract from their unauthorized presence.

Remember to remain resilient and aware!

For more information about phishing, visit the Safe Computing website.

It is also highly recommended to take the MLearning module: “IA-10006 Cyber Safety Best Practices Module 1: Hackers, Malware, and Phishing.”