Defining Social Engineering
Social Engineering is a type of psychological manipulation that tricks a target into sharing information or performing an action that they normally would not have done. These scams may promise one thing and deliver another, be a way to get information from you, steal something from you, or gain access to something that you have access to.
Social Engineering is usually part of a more complex scheme, where the access gained, information collected, or item stolen may be used for another part of a bigger plot. For example, an email with a link to a website may install malicious software onto your computer. The malware in our example logs keystrokes from your computer, including login credentials for your bank, or your personal information that you enter into a form. This information that is gathered can be used to gain access to your accounts or to commit identity fraud.
Social Engineering Scams can happen at work and at home, in person and over the phone. There is no limit to platform when the threat is digital, though most malware that is being circulated relies on a Windows operating system, certain attacks cross platforms as they are not always software based.
Social Engineering scams have been used for many years, as the basics of these scams can be done over the phone or in person. Sometimes all a scam artist needs to do is ask for information, and a target will freely give it because of a perceived right to know the information. Access may be allowed just because a scammer is wearing a uniform. Even an authoritative tone and urgent message over the phone can go a long way.
To protect yourself from most Social Engineering scams, you can apply the following questions to just about any interaction. Regardless if it is on a computer, phone, or in person:
Are you familiar with the person?
Try to confirm that the identity of the person requesting something from you is someone you know. If you do not know a person, or if you receive a communication from a person that is familiar, but it seems a little off, add an additional level of scrutiny to the processing of the request. For example, If you receive a phone call, opt to call back to a known number- any number that the person gives you over the phone may not be valid. If you do not have a phone number for the requestor, use a trusted source to get this information.
Why?
Ask why do they need this information, need to access this area, or why am I receiving this request. If you do not usually receive files or links from this person or organization via email, you should be suspicious. If the person asking or supplying information does not match who you regularly interact with, try to get in touch with your trusted source. If you are going into a restricted area, be sure that a person doesn’t just follow you in. An example would be that some businesses require that guests sign into a log book or are accompanied by a staff member during their visit. Be sure to follow this protocol, even if the person looks like they belong. If you do not know them, or if you are unsure if the person is allowed access, do not allow them the opportunity to Tailgate you.
Do I usually receive this information or request this way?
If you do usually receive some type of information or a request, is it usually passed onto you in this way? For example, do you receive quarterly reports? Are they usually emailed to you, or do you receive a thumb drive with this information? Another example would be if someone you know sends a text message to request a bank pin.
Are you expecting this information?
If an unsolicited email, disc, file, or phone call makes its way to you, be sure to consider whether you are expecting it. In our quarterly reports example, are you expecting that information? If you are not, confirm that the request is authentic from a known source via a known method of communication- sometimes you just need to walk down the hall or pick up the phone. Is it typical for you to process certain types of requests? Just because you have access to the information, does not mean that you are the person who should be distributing it. Another example is; Are you expecting a phone call from technical support? If you did not place a phone call or support request, it is unlikely that someone would be contacting you about a computer issue.
Is the request personalized?
If you receive an email, is the email addressed to you and is the greeting personalized? For example, an email may be addressed to someone in your organization, but sent to you. Be sure to talk with the person the email is addressed to before you send it, open files, or click any links. Mistakes happen when sending information, but be wary of information or requests that are not addressed to you.