Cybercriminals are very effective at getting what they want. They have learned that the easiest way around the university’s defenses isn’t hacking and cracking; it’s tricking you into letting them in. They will use everything in their toolbox to implement their attacks.

Social engineering is the art of manipulating, influencing, or deceiving you into taking some action that isn’t in your own best interest or the best interest of the university. The goal of social engineers is to obtain your trust, then exploit that relationship to coax you into either divulging sensitive information about yourself or the university or giving them access to the campus network. 

Red flags are a sign of danger or a problem. They can be as subtle as an uneasy feeling or as obvious as an email about “suspicious charges” from a bank where you don’t even have an account. Pay attention to these warning signs, as they can alert you to a social engineering attack!

Digital Attacks

Phishing: Email-based social engineering targeting the entire university.

Spear Phishing: Email-based social engineering targeting a specific person (YOU) or a role in our institution.

In-Person Attacks

USB Attacks: An attack that uses a thumb drive to install malware on your computer.

Tailgating: When a hacker bypasses physical access controls by following an authorized person inside a controlled building or protected space.

Phone Attacks

Smishing: Text-based social engineering. 

Vishing: Over-the-phone-based social engineering. 

Since phishing is the most common form of social engineering, let’s take a closer look at seven areas in an email and their corresponding red flags.

1. FROM: An email coming from an unknown address. You know the sender (or the department), but the email is unexpected or out of character. 
2. TO: You were copied on an email, and you don’t know the other people included in the email.
3. DATE: An email you usually receive during regular business hours was sent at 3:00 a.m.
4. HYPERLINKS: There are misspellings in the link. The email contains hyperlinks asking you to take action. When you hover your cursor over the link, the link address does not match the website implied in the text.
5. SUBJECT: The subject line of an email is irrelevant or doesn’t match the message content. It’s an email about something you never requested or a receipt for something you never purchased.
6. CONTENT: The sender asks you to click on a link or open an attachment. The email asks you to buy gift cards or apply for a job, promising $$$ for practically no effort. You may just have an uncomfortable feeling, or it just seems odd or illogical.
7. ATTACHMENTS: Any attachment you receive that you aren’t expecting.

Here are the actions you SHOULD take:

Stop, look, and think before you click that link or open that attachment.

Stop, look, and think before allowing someone in that you don’t recognize or plugging any external media into your computer. 

Stop, look, and think before surrendering confidential information or acting on an urgent request.

See something? SAY SOMETHING!

For any questions regarding email scams, call the OIT HelpDesk at 865-974-8445 or send the suspicious email (along with the headers from the email) toabuse@utk.edu.