Social Engineering

Social engineering is a psychological attack used to exploit human vulnerabilities. While the schemes often vary, the overall goal remains the same. Social engineers will say or do just about anything to obtain sensitive information from you. Technical knowledge is often unnecessary for a successful social engineering scam; in fact, most of these ploys merely rely on adept social skills (1). Technology cannot protect you from being a victim of a social engineering scam (2). Awareness is your best defense!

Follow these best practices to protect yourself from social engineering attacks:

  • Be alert and do not rely on identification alone for authentication. Gather specifics about the person soliciting personal information from you before obliging to their request. Who are they? Where do they work? What is the call regarding? Politely ask for a call back number and tell them you will get in touch with them at a more convenient time. This grants you the opportunity to do some investigation beforehand and you can call them back when you are clear of all distractions.
  • Never share your password! A legitimate organization will never ask for your password.
  • Pay attention to the information requested. If you are asked for details that the organization is already privy to, do not provide the information. For instance, you should be suspicious if your supposed credit card company is calling you to confirm your credit card number and security code. Additionally, it should be considered suspect if someone from your supposed bank wants to confirm your account number and routing number.
  • Keep your guard up. Social engineers will use several methods to gain your trust and cooperation. You should be leery of individuals being overly friendly, aggressive, or insistent as these are common social engineering tactics. Bottom line, if you do not feel comfortable then you should trust your instincts.
  • Be aware of your office surroundings. If you see someone you do not recognize roaming the vicinity then address them. They could simply be lost or they could be looking for information left carelessly unattended. Always lock up personal items and confidential information when you leave your area. Additionally, if you work in a building where ID badges are required to gain entrance then do not allow strangers to follow you in. This is called ‘tailgating’ and it is a very common approach used by social engineers.
  • Report suspicious activity. Inform your direct supervisor or the police if you believe the situation warrants their involvement.

References:

1. Sans Institute. (2004). Social Engineering. Retrieved from, http://www.sans.org/reading_room/whitepapers/engineering/social-engineering_1365.

2. Sans Institute. (July 2012). The Tech-Support Phone Call Scam. Retrieved from, http://www.securingthehuman.org/newsletters/ouch/issues/OUCH-201207_en.pdf.

Last updated: June 11, 2015