Social Engineering Attacks and Prevention

What is social engineering?

Social engineering is a collection of strategies that target the people who use computers

and network systems. The goal is to gain access to resources and credentials on those

systems, or to steal the user's personal information. This has always been an issue

throughout the District, but recent events have brought an increased concern for our

security footing.

In the District, we commonly see social engineering manifest as phishing attempts via

email. In these instances the attacker is usually

attempting to execute code on the target user's

computer, to gather personal information, or to scam

the target out of money.

For a more pure social engineering attack, the email will

ask users to send login information. This will manifest

as an attacker sending an email that seems to come

from the IT department, a supervisor, or administrator.

In some instances, the attacker asks the target to reply

with their credentials so that they can access something. In most cases, the attack

appears to come from the IT department and contains a link telling the target to follow the

link to update their credentials.

Variations of Social Engineering

Posing as someone else, especially via electronics, is

referred to as “Spoofing.” Various spoofing techniques

let attackers appear to be legitimate members of the

District in their communications. They can fake email

addresses, phone numbers, and social media accounts.

An additional spin on this comes in the form of

compromised email accounts. This variation is the result

of an attacker successfully getting into an employee’s

email account. This is generally due to interacting with a malicious link or downloading an

infected document. Once the account is compromised, the attacker sends email from

that account to people on their contact list. Their aim is generally increasing their access

or tricking a broader audience.

How to avoid social engineering attacks

This brings us back to the question of how to avoid falling for social engineering attacks. It

requires vigilance and caution. Staff are encouraged to be suspicious of anyone asking for

their credentials, and to be highly skeptical of anyone in the District asking anyone to send

money. A simple countermeasure would be to call the person in question and verify that

they in fact sent the request, or sent the email with a link.

Phishing Email Example Emails

Additionally, the Help Desk is available to help navigate these issues. Please feel free to

contact the Help Desk at 417-523-4357 or Extension 33333, and we will happily assist you.

For more information on OneDrive and other technology resources please visit the

Knowledge Base on ServiceNow and the I.T. Training page at sps.org/training.