Tips for Recognizing a Social Engineering Attack

Social engineering is the art of manipulating people so they give up confidential information. The types of information these criminals are seeking can vary, but when individuals are targeted the criminals are usually trying to trick you into giving them your passwords or bank information, or access your computer to secretly install malicious software–that will give them access to your passwords and bank information as well as giving them control over your computer.

Criminals use social engineering tactics because it is usually easier to exploit your natural inclination to trust than it is to discover ways to hack your software.  For example, it is much easier to fool someone into giving you their password than it is for you to try hacking their password (unless the password is really weak).

Security is all about knowing who and what to trust. Knowing when, and when not to, to take a person at their word; when to trust that the person you are communicating with is indeed the person you think you are communicating with; when to trust that a website is or isn’t legitimate; when to trust that the person on the phone is or isn’t legitimate; when providing your information is or isn’t a good idea.

Ask any security professional and they will tell you that the weakest link in the security chain is the human who accepts a person or scenario at face value. It doesn’t matter how many locks and deadbolts are on your doors and windows, or if have guard dogs, alarm systems, floodlights, fences with barbed wire, and armed security personnel; if you trust the person at the gate who says he is the pizza delivery guy and you let him in without first checking to see if he is legitimate you are completely exposed to whatever risk he represents.

If Tech Support Calls YOU It Might be a Social Engineering Attack

How many times have you called tech support and waited on hold for like an hour? 10? 15? How many times has tech support called you wanting to help you fix a problem? The answer is probably zero.

If you do get an unsolicited call from someone claiming to be tech support, this is a huge red flag that you are likely being set up for a social engineering attack. Tech support has enough incoming calls that they are not likely to go looking for problems. Hackers and social engineers, on the other hand, are going to try and obtain information such as passwords or try to get you to visit malware links so they can infect and or take control of your computer.

Ask them what room they are in and tell them to come by your desk. Check their story, look them up in a company directory, call them on a number that can be verified and is not spoofed. If they are in the office, call them using their internal extension.

Beware of Unscheduled Inspections

Social Engineers will often pose as inspectors as a pretext.

Check with management to see if anyone claiming to be an inspector or other person not commonly seen in the building is really legitimate. They may drop names of people who aren’t there that day. If they don’t check out, call security and do not let them into any part of the facility.

Don’t Fall for “Act NOW!” False Urgency Requests

One thing that social engineers and scammers will do in order to bypass your rational thought process is to create a false sense of urgency.

The pressure to act quickly may override your ability to stop and think about what is really happening. Never make quick decisions because someone you don’t know is pressuring you too. Tell them they will have to come back later when you can vet their story, or tell them you will call them back after you have verified their story with a third party.

Don’t let their pressuring tactics get to you.

Fear can be a powerful motivator. Social engineers and other scammers take advantage of this fact. They will use fear, whether it’s fear of getting someone in trouble, fear of not meeting a deadline, etc.

Fear, coupled with false urgency, can totally short circuit your thought processes and make you vulnerable to complying with Social Engineers’ requests. Arm yourself with knowledge of the techniques they use by visiting social engineering websites such as the Social Engineering Portal. Make sure your fellow coworkers are educated on these tactics as well.

Leave a Reply