At UBC, we entrust a significant amount of personal information to the university. This data includes everything from student IDs and grades to financial information and research projects. Protecting this data is paramount, not just for UBC but for each individual member of the community.
Today, we'll discuss a tactic cybercriminals use to gain access to this sensitive information: pretexting.
What is Pretexting?
Pretexting, also known as social engineering, is a cybercrime where the attacker creates a false scenario (the pretext) to gain your trust and extract personal information. Attackers can pose as legitimate entities like:
- University officials: Financial aid departments, IT support, or even professors.
- Bank representatives: Claiming to be investigating suspicious activity on your account.
- Tech support personnel: Offering help with a non-existent computer problem.
The attacker's goal is to gather information like usernames, passwords, social insurance numbers, or credit card details.
How Can You Fall Victim?
Pretexting attacks can be very convincing. Attackers often use a combination of tactics:
- Urgency: They create a sense of urgency to pressure you into acting quickly without thinking critically.
- Fear: They may threaten negative consequences like account suspension, financial loss, or even legal action.
- Fake caller ID: They can manipulate the caller ID to show a legitimate UBC phone number.
- Phishing emails: They may send emails with a sense of urgency, containing links or attachments that appear official but lead to malicious websites designed to steal your information.
Real-Life Scenario: Spotting the Signs
Here's an example of a pretexting attack:
- A faculty member receives a call claiming to be from IT support.
- The caller states there's been suspicious activity on the faculty member's UBC email account, and they need to verify their login credentials to prevent account suspension.
- The caller sounds professional and creates a sense of urgency.
Red Flags to Watch Out For:
There were several red flags in this scenario that the student should have noticed:
- Unsolicited Contact: The UBC IT Service Centre does not contact individuals directly unless responding to a request made by the employee or student.
- Urgency and Threats: Legitimate organizations will not threaten account suspension without prior communication.
- Request for Login Credentials: UBC will never ask for your login information over the phone or through email.
Protecting Yourself
- Verify Caller Identity: Always independently verify the identity of anyone claiming to be from UBC. Call the official department directly (using a phone number you know is correct) to confirm the interaction.
- Don't Share Sensitive Information: Never share passwords, Social Insurance Numbers, or other sensitive information over the phone or through email unless you initiated the contact and are sure of the recipient.
- Report Suspicious Activity: If you suspect a pretexting attempt, report it to UBC Cybersecurity at security@ubc.ca.
Staying vigilant is crucial. By learning about these tactics and recognizing the red flags, we can all play a role in protecting ourselves and the UBC community from cybercrime.