Tag Archives: Cyber Security

Non-technical social engineering scam

Social engineering as a scam can take many different forms. One of these is a non-technical form where a scammer already knows enough about you to make you feel comfortable and confident in revealing more personal information. The personal information they really need to defraud you.

This is known as ‘pretexting’ or ‘vishing’ voice-phishing, where the scammer is phishing for information using voice communication like a phone call. The caller uses information about you they already know, which could be pieced together from your social media accounts or if you have lost or had your wallet stolen, they will present themselves as someone trustworthy like a representative from your bank.

A good example of this could be if you have lost your wallet. A scammer might find a shop receipt in your lost wallet and call you posing as a shop attendant. To get more information out of you they might say you have won a voucher and simply need you to provide a PIN number to activate the card. Unfortunately, most people will provide a PIN number they already use. The caller now has your wallet, bank cards, ID cards and a PIN number they can use to try and defraud you.

What to do if you receive a suspicious call

Think about the information you are being asked for:

  • is what the person is saying believable?
  • why do they need this information?
  • are they making a reasonable request for this purpose?
  • is this person who they say they are?

It is ok to say no and to ask them to verify who they are. If you are not sure of the credibility of the person you are speaking to hang-up and call the organisation yourself. Don’t call any phone numbers the caller gives you either over the phone or in email, look up a phone number for the organisation on their website.

Find information on how to report a cyber security incident at UC here>

Email phishing exercise

Did you know approximately 45% of the world’s sent email is SPAM? While some SPAM email can be harmless enough, other SPAM is used to target and exploit personal information and data form people or alter the behaviour of the device they are using.

To help us understand how well we are supporting and informing UC students and staff on cyber security we will be carrying out random phishing test exercises over the next few weeks.

The exercise will involve sending emails that use techniques similar to those used by cyber criminals to encourage the recipient to take a specific action. We will send these to a random group of UC email addresses and monitor the outcome. No personal information of individuals in the test group will be retained.

We take this kind of exploitative SPAM email seriously and employ a number of tools to reduce the amount that makes it to your inbox. The most effective way to reduce harm to you, your data and UC is to be aware of techniques being used by cyber criminals and to make you aware of what to look for, how to react and who to report incidents to.

More information about how to spot phishing email and what to do if you receive a phishy email, check out UC’s cyber security webpage>

If you have any questions or concerns please contact the ITS Service Desk on 0508 UC IT HELP (0508 824 843) or on 03 369 5000.

Spotting a social engineering scam

In some previous cyber security posts we’ve mentioned a couple of types of scams that use social engineering, eg. phishing. Social engineering is a way of tricking people into sharing their personal information.

Here, we’re going to talk about the equally dangerous non-technical social engineering attacks that we all may face.

These scammers use little pieces of information they already know about you to trick you into revealing sufficient information that they can then defraud you. This is called ‘pretexting’ or ‘vishing’ voice-phishing and is often done through a phone call.

If you receive a phone call you are uncertain about, hang-up the call and find a phone number for the organisation to call them back, don’t call any phone number the caller gives you.

It’s ok to say no – think about the information you are being asked for when filling out forms, having conversations or responding to emails:

  • is what they are saying believable?
  • why do they need this information?
  • are they making a reasonable request for this purpose?
  • is this person who they say they are?

Read these examples and check out this video to understand what social engineering might sound like. Read more about cyber security and reporting incidents at UC here>

Hi, this is Tracey calling from {Your Bank}.

We’ve blocked some suspicious overseas charges made on your card ending {last 4 digits of your card}, and we’d like to check on these with you, if that’s OK.

Before we can do that I need to run you through some security checks.

Can you please confirm the billing address for the card is correct?

Great thanks. Can you please confirm your mother’s maiden name? 

OK, we’re good to go. Have you been to a restaurant called La Roux earlier today? Spending $43.20?

No, OK, we’ll need to cancel your card and issue you a new one.

Don’t worry, we can get the new card to you quickly, if I get this processed now I can get it to you in the next 48hrs.

To make things easy for you I can make sure the same PIN number is used so you will be able to use the card straight away.

If you can confirm your PIN number I’ll get that added.

Awesome, that is done, your new card is on its way.

As you can see the scammer now has your card number, answer to your security question and current PIN number.

This example would be carried out after a wallet has been stolen. The initial information comes from a receipt found in your wallet.

Hi {your name},

This is Tracey from {names a store you have a receipt from found in your wallet}, you’ve won a gift card worth $150 that you can pick up next time you are in the {names location of the store from the receipt} store.

To secure the card for you I need to put a PIN number on the it, what PIN number would you like me to add to the card?

All done. That card will be waiting for you in store.

Have a good day.”

Unfortunately, most people will provide their own banking PIN number, because by human nature, we’re lazy and use the same PIN numbers or passwords for multiple purposes.