Social Engineering

What is social engineering?

Social engineering involves manipulating users to give confidential information to people who should not have access to it. Common targets include banking and credit card info, passwords, social media access & computer access. The reason they resort to social engineering is that it’s much easier to trick a human than to actually hack into the computer system or software. As Kevin Nitnick, one of the foremost experts on social engineering said: “the easiest way to penetrate high-tech systems is through the people who manage, operate and use them.”

What are the common social engineering attacks?

E-mail from a friend or colleague

If someone manages to hack into your friend’s email, they may elect to send everyone in their contact list an email with a link. This email could contain a phishing website, malicious software, even a message to get personal information from you.

E-mail asking for help

I’m sure you’ve heard of or even received an email from a “Nigerian Prince who needs to transfer $150,000,000 out of the country for safety” and will “Gladly give you 5% ($7,500,000) of the money for assisting with this task if you’ll just provide your bank account number and routing number to him”. In addition to those emails, there are emails asking you to donate to a charity, fundraiser or some relief fund, which give instructions on how to send the money to the “charity”, which in this case is a person posing as that organization.

Phishing Attempts

These messages typically attempt to mimic e-mails sent from services you may actually use, such as Facebook, Twitter, Paypal, etc. They typically say that something urgent needs your attention and prompt you to login. However, instead of going to, for example, it actually leads to another domain name and website entirely. A temporary site that’s setup just to harvest login info from the attacks.

Phone Calls (Vishing)

These calls are getting more and more common. These can range from someone who claims to be with “Microsoft Tech Support” who’s wanting remote access to your computer to criminals posing as law enforcement officers who claim that you have unpaid tickets that are causing a warrant to show for your arrest unless you use Western Union to send them money for the “unpaid tickets”. These attacks are designed to take advantage of the human nature to put more trust into someone who you are actually talking to on the phone and can be very effective if the criminal is convincing.

How can I protect myself and my organization against social engineering?

  • Be skeptical or any person or website asking for any confidential information. This goes a long way to keeping yourself and your organization protected.
  • Have a company-wide security policy in place that deals with setting up accounts, password changes, access approval & overseeing visitor activity
  • Create strong passwords that vary for each site or service that you use.
  • Beware of any download from any email, including people in your contact list, as those accounts can be compromised as well.
  • If you receive a phone call asking for confidential information, make note of the person’s contact info, and do some research and verify their identity before releasing any information.
  • Secure your devices with Anti-Virus, Firewalls & E-mail/Spam Filters
  • Keep all software, including operating systems, up to date.
  • Create regular backups to avoid data loss
  • If you receive an email saying you need to login to any site, DON’T click the link in the email. Instead, manually enter the web address into a new browser window to go directly to that site.
  • If you receive a suspicious email from someone on your contact list requesting information, use another method of contact to reach out to that person to verify that they sent the email.
  • Remember that an organization is only as strong as the weakest link. It doesn’t matter if the IT department is vigilant about security if the receptionist is not.

What can I do if I’ve been a victim of social engineering?

If there is any possibility of banking or credit card information being compromised, then you need to contact your financial institutions immediately and they can assist you with protecting your accounts.

If an email or website login was stolen, then a good practice is to change the passwords on everything. The reason for this is that if someone has access to your email, they can typically reset other passwords, possibly without you even knowing.

If it’s your computer that may have been compromised, then you should run a full virus and malware scan to check for any keyloggers or other tools. If you’re still not comfortable, your best choice is to call SandStorm IT at 901-475-2075 and let one of our expert techs take a look at your computer and make sure everything is safe and secure.