Skip to main content
YOUR SOURCE FOR IMPROVING INFORMATION SECURITY FOR YOURSELF AND OUR CES COMMUNITY.

Social Engineering

Social Engineering

Many information security threats arise from technical flaws like an unsecured website or a weak password. However, some criminals rely on a much more widespread weakness—human psychology. Using simple methods, they play to our impulses and best intentions to gain access to even the most secure buildings, systems, and information. These methods are collectively called social engineering.

How It Works

With a phone call

Scams like the classic "We're calling you from the IRS" shtick are well-known and easily ignored. In more recent cases, however, scammers specifically target (for example) low-level employees with a phone number obtained online. In an unprompted phone call, they pretend to be a trusted authority or a fellow employee, then wheedle their way to information that was supposed to be secure.

With an email or website

A criminal crafts an email or a website that looks just like one from a legitimate organization like a bank or a subscription service. They want you to click on a link and download something malicious or input your personal information or login credentials. This is called phishing and you can learn all about it here (rest assured―it's safe to click on links in this website).

With a text

What can be done with an email or website can also be done with a simple SMS text. A typical example looks like, "Follow this link to confirm your [organization] account" with a hyperlink. When a text like this comes unprompted, it's probably a scam.

In person

Even in this modern day and age, criminals can get access to secure locations simply by playing dress-up. Imagine you're walking through the door into the building where you work, and a person in a professional uniform carrying a stack of boxes comes up behind you. What do you do? You hold the door, of course, like any decent person. And now a stranger has slipped into your organization virtually unnoticed.

How to Avoid It

  1. With almost all cases of social engineering there's an element of impersonation. If you are ever contacted in an irregular way by someone who you can't personally identify on the spot (as in, face-to-face), try to verify their identity. Be curious and cautious.
  2. In the workplace, carefully follow all security protocols. Be familiar with your organization's policies about sharing data and contact information. If you ever have questions or concerns, notify your manager before moving forward.
  3. Be suspicious of unprompted emails, texts, or phone calls. Hover over links to see where they go before clicking (press and hold on a phone). If in doubt, type in the URL yourself. Don't share personal information over the phone, and be cautious with caller ID―scammers can often spoof it.

Gift Card Scams

In the past few years, scammers and attackers have hit pay dirt with one very simple technique: asking for gift cards. Because gift cards don't always have identifying information attached, they're an easy way for a thief to cash out and disappear. Most of the cases we've seen involve a scammer pretending to be a superior and asking the victim to 1) buy gift cards, and 2) send back the numbers. These scams are often couched in urgency ("I need to give gifts to some visitors") and promises of reimbursement. To be secure, as with any other scam, exercise caution, curiosity, and calm as you confirm the identity and intent of the attacker.

Gift Card Scams
Smishing Tips

slideNumber:
Social Engineering