What is Social Engineering?
In a social engineering attack, a cyber-criminal uses human interaction (social skills) in email messages, phone calls, or unannounced personal visits. This cyber attacker may be respectful and seem to be perfectly legitimate but will use psychological manipulation to trick victims into making security mistakes or giving away confidential information. He or she might claim to be an employee, repair person, researcher, or sales representative, and may even offer credentials. Regardless of how they contact you or who they pretend to be, this type of cyber-criminal has one goal: to obtain or compromise sensitive information about your organization or its computer systems.
Social Engineering Attacks Leverage Human Error
Social engineering attacks are especially dangerous because they rely on human error, not vulnerabilities in operating systems or software programs. By asking what may seem to be innocent questions, the cyber-criminal may be able to piece together enough information to infiltrate your organization’s network. The attacker will be persistent! If unable to gather enough information from the first source, he or she may contact another source within your organization, then use information obtained from the first source to bolster his or her credibility and build trust.
Social Engineering Attacks – Do’s and Don’ts
To avoid being the victim of a social engineering attack:
- DO be suspicious of unsolicited email messages, phone calls, or visits from individuals asking about employees or other internal information.
- DO try to verify the identity of an unknown individual. Directly contact the company the individual supposedly represents using a phone number or email address you know to be valid.
- DO install and maintain anti-virus software, firewalls, and email filters to cut down on questionable traffic.
- DO take advantage of anti-phishing features offered by your email server and web browser.
- DO pay attention to website URLs. Though a malicious website may look identical to a legitimate site, the URL may use a variation in spelling or a different domain.
If anything at all about individuals or their questions seems suspicious:
- DON’T respond to requests for personal or financial information.
- DON’T click on links in email messages.
- DON’T use contact information that’s provided on a website connected to the request.
- DON’T send sensitive information over the internet before checking a website’s security.
Find more information on how to avoid being a victim of a social engineering attack on the U.S. Homeland Security Website.
I Think I’m the Victim of a Social Engineering Attack – What Should I do?
If you think you have revealed sensitive information about your organization:
- Report it to network administrators and other appropriate personnel so they can be alert for suspicious or unusual activity.
- Contact financial institutions immediately if you think accounts may have been compromised.
- Promptly change any passwords you may have revealed. If you used the same password for multiple accounts, change it for each account. Don’t use that password in the future.
- Close any accounts that may have been compromised.
- Watch for unexplainable charges to accounts.
- Report the attack to the police or government agency responsible for cyber-crimes, such as: