Skip to page content

Common Targets for Social Engineering

There is always some risk in putting yourself on the internet. Your information is available to the entire world. Most people have good intentions with your content, however, some are "bad actors" pretending to have good intentions that actually harm you and anyone you pass their information to.

Most of these "bad actors" are robots, or automated programs, built by programmers to:

  1. scan the internet for certain keywords that can be used in socially engineering you to take an action that may be harmful to you, the University, or any visitors to your website
  2. scan the webpages with the targeted keywords for things like your name, email address, or other identifiable contact information
  3. place you on an email campaign (or email drip campaign that reminds you periodically if you haven't responded yet) to:
    1. open a suspicious file attachment
    2. place suspicious content on your website
    3. go to suspicious links in the email message
    4. place suspicious links on your website

Since we are an institution of higher education, our website is a huge target for blackhat practices, including socially engineering us to lower our SEO rankings, give our usernames and passwords to strangers, and provide third parties with personal and identifiable information about our visitors.

Let's break down their activities, so you and your visitors can avoid being socially engineered.

Scanning the Website for Keywords

Screenshot of a real life email to Web Services that claimed they had relevant information to our website

This screenshot shows an email sent to us to add their link on sleep and health with regard to social media applications. While it doesn't indicate a specific page, it assumes the audience uses social media (which we link to across the website) and might find the resource useful to our users. It may very well be, but given the way the resource was provided, the link may have been tampered with and now contain harmful code.

Robots are looking for web maintainers who don't know what is actually on their website or can be easily swayed to believe their website needs certain information. The common words to be cautious of using in your metadata (e.g. page titles, descriptions, keywords), headings, or file names are

  • link (e.g. Quick Links, Related Links)
  • resources (e.g. Additional Resources, Related Resources, Helpful Resources)

Why these specifically? Can you find anything in the examples above that explain to you what to expect if you went to that content? Not really, and that is what these "bad actors" are counting on. Much like a FAQ (Frequently Asked Questions) page, these pages or sections usually look like a list of random links to information. They may not be reviewed for currency or accuracy on a periodic basis, and they may not have any definitive organization that would aid users in searching for what they need. They are like finding a needle in a haystack or treasure in a trash heap, and it is something robots target due to their obvious lack of content strategy.

As the web maintainer, you may not be familiar with the subject matter on the page, if you are like Web Services in that you maintain multiple websites for the content owners (or subject matter experts). You should question whether or not the information is pertinent to the webpage or website, if they don't provide a specific web address for you to put information on.

If you are the content owner, you may be able to identify the keyword they used regarding a claimed relevant resource link, but when you look at your webpage, you'll notice the information is, in fact, not as relevant or necessary to include.

Screenshot of a real life email from a bad actor claiming a scholarship opportunity.

This screenshot shows an email sent to us and potentially other people through blind carbon copy method. They did not identify a real person or department at our university, nor did they identify themselves as a real human. They did provide a suspicious scholarship opportunity and link which we discourage opening, despite curiosity.

As a university, we are also hit more specifically on some common educational items, including

We cannot avoid these, given they are what we promote. It is more a matter of keeping a mindful eye on what information is sent to you and being on guard for suspicious requests and activities.

Scanning for Contact Information

Screenshot of a real life SPAM email example of a message that addresses us generically.

This screenshot shows that the sender didn't know who to address in the greeting, along with some grammar and mechanics issues that hint at suspicious activity. While the message itself seems like something Web Services would want to pursue, the presentation is off. The sender does not identify a well-known web marketing agency, nor does the message list out the errors the sender found, which makes it look impersonal or robot-driven.

Once the robot finds a potential target, the robot goes through a round or so of scanning for who to target for social engineering:

  1. First round of scans are on the relevant pages, looking for your contact information (e.g. name, email address).
  2. Second round of scans reach a larger scope (e.g. department head's welcome pages, dean's message pages), if nothing was found in the first round, or they want to contact more individuals that may have web maintainer access (or influence) to some portion of the website.
  3. Final round of scans may be the entire website, looking for web administrators (e.g. calling us "Admin") or our team's email address (e.g. webmaster@something.edu, www@something.edu)

This is often the reason why you receive SPAM messages. Web Services receives the brunt of these type of SPAM messages and makes every attempt to only filter relevant information or website feedback to you.

Placing you on Email Campaigns (or Drip Campaigns)

Screenshot of a real life email drip campaign from a bad actor.

This screenshot shows that the robot scanned the entire website for the main web administrator's contact information. The term "readers" is not what normal marketing specialists would use to convince Web Services to include their content. The robot actually thought the Tarleton website was a blog. After all, we have faculty, staff, students, parents, or users (as web technologists call website visitors) that we create meaningful relationships with, including providing information about health services available at Tarleton. This is the second email in the automated drip campaign. The first one introduced the robot's process.

What makes robots appear to be human? Programmers create emails or email drip campaigns to convince you that they are real human beings. It's no trouble at all for these "bad actors" to automate emails, so don't be fooled by the seeming concern that you haven't responded to previous emails.

But what gives them away? There are multiple ways to identify emails attempting to socially engineer you. The main way is that their English is not very good, a typical sign that the programmer is from a foreign country known to attempt to hack into our systems. Obviously, some hacking attempts may come from U.S. programmers, so you have to check for other indicators like

  • emotional pleas,
  • sense of urgency, and
  • relevancy to your website.

Do not ever respond to suspicious emails, not even to unsubscribe to them. This indicates you are a live email address and potential target, even if you are not completely fooled by this particular attempt. They will sell your contact information to other "bad actors", and the cycle continues. Just delete the email (especially if it has a file attachment) or add it to your junk mail.

Protecting our Community

The cycle of SPAM is annoying and won't be stopped right away, but you absolutely should not react to the email by selecting the links, opening the file attachments, or responding back to the sender requesting to receive no more emails. If these emails are going to group email addresses, you should pass this information to those individuals to help them avoid becoming socially engineered as well.

Our goal is to keep our entire community protected from these scam artists, whether they are students, employees, or visitors to our website. If you have any concerns regarding an email, go with your gut feeling and delete it. Additionally, you may contact our Chief Information Security Officer for assistance.