How to Avoid Falling For Social Engineering Attacks

Friday, March 11, 2011

Brent Huston

E313765e3bec84b2852c1c758f7244b6

I am one of the “end-users” in our organization.

I’m not a tech, but over the years have had my eyes opened regarding information security and ways I can safeguard my own private data.

My favorite tool is a password vault, which helps tremendously as I belong to dozens of sites. Quite frankly, I can’t remember what I had for dinner yesterday much less recall all the different passwords needed to access all those sites. So a password vault is incredibly helpful.

But what really fascinated me was the discovery of social engineering. Social engineering is when someone uses deceptive methods in order to get you to release confidential information. Sometimes it’s almost obvious, sometimes it’s sneaky. But on most occasions, people don’t realize what’s happening until it’s too late.

I’ll give an example: One time I received several phone messages from my credit union. I was told there was an issue and to return the call. I called my credit union to discover that (surprise, surprise), there was no “issue” and they never called me.

So when this shady outfit called me two days later, I was home and answered the phone. After the woman went through some type of script (needing my account number, natch), I blew up.

“For your information, I contacted my credit union and there IS no issue and no need to speak to me. How in the world do you sleep at night, deliberately trying to get people to give you confidential information so you can steal from them? You’ve got a helluva lotta nerve to keep calling!”  The woman was silent. I slammed the phone down. I never heard from them again.

The point of this colorful little story is that thieves and hackers are everywhere. With our information becoming more digitalized, we need to be on guard more than ever before and use the most powerful weapon we’ve got.

QUESTION EVERYTHING.

And follow some of these tips:

  • If you receive an email from PayPal or a credit card company and they want to “verify” your account, check the URL. If a letter of the company’s name is off or it looks totally different, do NOT click on it. (You can see the URL usually by hovering your mouse over the link.)
  • Never  click on a link in an email to a financial institution. If you are a member of this institution, call their customer service number. Have them check your account to see if indeed there was a need to contact you.
  • Always check the identity of anyone who is calling you on the phone to ask for confidential information. Say you’re about to run out the door and get their name and phone number. Then call the organization they represent to verify that this person is legit.
  • At your workplace, use the same approach. Be friendly, but wary in a good way. If you have a courier who needs to give their package directly to the recipient, casually ask a co-worker if they could accompany the courier to their destination and then ensure they leave promptly afterward. Use this method for any strangers who are visiting your organization such as repairmen, copier salespeople, or phone technicians.

Speaking of copiers, beware of “boiler-room” phone calls. These are attempts to gather information about your copier (i.e., serial number, make and model of copier) so the unscrupulous company can ship expensive supplies to a company and then bill you, as though it was a purchase initiated by your company.

These types are scumballs in my book. After I learned what they did, I’d have a bit of fun with them before hanging up. Now I don’t have the patience for it. I just hang up.

You have to be sharper than ever to see through a social engineering attack. The challenge is to retain that sharpness while in the midst of multiple tasks.

Most of the time, the attacker will take advantage of a busy receptionist, a chaotic office, or a tired staff when they try their dastardly deed. (Ever notice you hardly get these attempts early in the morning, when you’re awake and alert? And how many happen close to quitting time on a Friday?)

Just a few thoughts to keep you sane and safe. Confound the social engineering attacks so you won’t be the one confounded! Good luck!

Cross-posted from State of Security

Possibly Related Articles:
13952
General
Passwords scams Management Social Engineering Espionage Employees
Post Rating I Like this!
688a2082bc726c52d8c6bf3f88df6a42
David McCauslin One very basic thing to remember regarding communications from a financial institution: If they need to get ahold of you, the communication will not be to "Dear Friend", or "Dear Customer"... They will know your name, and call you by that.
These scams are certainly on the rise, thanks in part to how easy the Internet makes it. Be wary, and question everything! An ounce of prevention is more worthy than a pound of cure!
1300051477
Dd9902bc56a9d85cdc62c00083ea4871
Katie Weaver-Johnson Thanks for sharing Brent. Good tips for avoiding social engineering; as an end-user in your organization, are you receiving ongoing awareness training and updates as risks, threats, requirements, best practices change? It is critical for organizations to implement an ongoing awareness program as once-a-year general training is not enough.

I would also recommend your organization share personal stories and examples like yours above to help employees (and third-parties) relate and understand the risks and threats they are facing.
1300287472
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.