Tag Archives: Cyber Security

Spotting a social engineering scam

In some previous cyber security posts we’ve mentioned a couple of types of scams that use social engineering, eg. phishing. Social engineering is a way of tricking people into sharing their personal information.

Here, we’re going to talk about the equally dangerous non-technical social engineering attacks that we all may face.

These scammers use little pieces of information they already know about you to trick you into revealing sufficient information that they can then defraud you. This is called ‘pretexting’ or ‘vishing’ voice-phishing and is often done through a phone call.

If you receive a phone call you are uncertain about, hang-up the call and find a phone number for the organisation to call them back, don’t call any phone number the caller gives you.

It’s ok to say no – think about the information you are being asked for when filling out forms, having conversations or responding to emails:

  • is what they are saying believable?
  • why do they need this information?
  • are they making a reasonable request for this purpose?
  • is this person who they say they are?

Read these examples and check out this video to understand what social engineering might sound like. Read more about cyber security and reporting incidents at UC here>

Hi, this is Tracey calling from {Your Bank}.

We’ve blocked some suspicious overseas charges made on your card ending {last 4 digits of your card}, and we’d like to check on these with you, if that’s OK.

Before we can do that I need to run you through some security checks.

Can you please confirm the billing address for the card is correct?

Great thanks. Can you please confirm your mother’s maiden name? 

OK, we’re good to go. Have you been to a restaurant called La Roux earlier today? Spending $43.20?

No, OK, we’ll need to cancel your card and issue you a new one.

Don’t worry, we can get the new card to you quickly, if I get this processed now I can get it to you in the next 48hrs.

To make things easy for you I can make sure the same PIN number is used so you will be able to use the card straight away.

If you can confirm your PIN number I’ll get that added.

Awesome, that is done, your new card is on its way.

As you can see the scammer now has your card number, answer to your security question and current PIN number.

This example would be carried out after a wallet has been stolen. The initial information comes from a receipt found in your wallet.

Hi {your name},

This is Tracey from {names a store you have a receipt from found in your wallet}, you’ve won a gift card worth $150 that you can pick up next time you are in the {names location of the store from the receipt} store.

To secure the card for you I need to put a PIN number on the it, what PIN number would you like me to add to the card?

All done. That card will be waiting for you in store.

Have a good day.”

Unfortunately, most people will provide their own banking PIN number, because by human nature, we’re lazy and use the same PIN numbers or passwords for multiple purposes.

Longer passwords are stronger passwords

It’s simple, the longer your password is the stronger it is. A password of 12 characters is estimated to be 13 million times stronger than an eight character password and a 16 character password is estimated to be over 166 trillion times stronger than an 8 character password.

At UC we recommend you use passwords of 10-16 characters in length for UC systems. But let’s take a minute to talk about passwords. Exciting isn’t it?

Do you use a key for your front door? Are you happy giving it to strangers? No? This is the same thing, so it’s an important conversation and worth having. Being digitally security-aware is just as important as being home security-aware.

To cut to the chase, here’s the thing:

Remember just three passwords, and that’s it:

  1. Your bank password – don’t use this for anything else
  2. Your work password – don’t use this for anything else
  3. Your password manager password – don’t use this for anything else. See more about password managers at www.canterbury.ac.nz/its/cybersecurity

Why? Some accounts are more important than others, especially your work and your bank, so have individual passwords for them, and then one more for your password manager.

Tips to create a strong password;

  • Don’t use common dictionary words – Eg. orange, car, password
  • Don’t use sequential letters or numbers – Ex. 12345, abcde
  • Don’t use repeated letters/numbers or keyboard patterns – Ex. 111, aaa, qwerty, asdfgh

Longer passwords are stronger passwords – as long as you stick to the rules above too.

Are you using the same password for everything?

It sounds like a clever strategy to avoid forgetting which is which, right? But have you noticed how those online security breaches just seem to keep happening? Using the same password means that if it falls into the wrong hands, then that person has your password to everything. It’s worth taking a moment to think about what that could include.

Tips to spot a phishing scam

Can you imagine the headache you’d have if a hacker got access to your social media, banking, dating, or email login details? But you wouldn’t just hand this kind of information over to a stranger would you?

Hmm, here are some basic tips to spotting a scam.

Consider these before opening an email that you weren’t expecting to receive.

  • Is the spelling and grammar in the message correct?
  • Does the link and the text match (hover your mouse over the link and you’ll see where it really goes).
  • Does the email urge you to take immediate action?
  • Does the email address of the sender look reasonable given the content of the email?
  • Look at the salutation (does it say ‘Dear Customer’)?
  • Look at the signature, a lack of details or how you can contact the company suggests phishing.
  • Are you even expecting an email from that sender?
  • Is the message asking you to do something unusual? (eg. buy iTunes cards).

Together we can make a difference, but what should you do next?

If you think it’s a phishing email or spam:

If the message is plausible:

  • go to the website of the service, or bank yourself (don’t click that link in the email), then log in and see if you have any messages
  • if it’s someone sharing a file or similar with you, contact the person (in a new email not by using ‘reply’) and ask them.

If you’re not be sure, treat it with caution and report it

It it amazing what hackers can do with access to your device, they get access to EVERYTHING you do on that device which can take a massive toll on you individually and damage your relationships.

  • You could lose access to your banking and social media accounts.
  • You could find all your data has been deleted or encrypted and held for ransom.
  • Your identity could be stolen,
    • loans and credit cards may be opened in your name.
    • unauthorised purchases may be billed to you.
  • You may become a victim of tax fraud.
  • You may be locked out of apps and web-based services, forever!! (Losing family photos, thesis papers etc).
  • Your electronic devices may be used as a tool of cyber-crime (sending spam or spreading malware).

See more about cyber security at UC>