How to Sidestep a Social Engineer
by Kim Logan
You have firewalls, strong authentication devices, intrusion detection systems, encryption, and all the technology required for strong security. You can sit back and relax, confident that you are well protected: right? As hard as it may be to believe, the biggest threat of the day may arrive the next time the phone rings.
The caller's voice may be pleasant, cultured, and friendly. The caller may be who he or she claims to be — or the caller may be a social engineer. Influential and persuasive, the social engineer deceives and manipulates "targets" to extract information. Sometimes the best technology cannot keep you safe.
Typically, social engineers are charming, polite, and likeable. Kind and helpful people often hand these scammers whatever information they request! In our society, most people are not trained to be suspicious of others, and social engineers count on this.
We know that not all people are honest, but we generally live by the assumption that the probability of our being deceived is very low. It is difficult to give up the idea that we live in a society where we can trust blindly and the social engineer understands this. He makes his request sound so reasonable that it raises no suspicion. She may assume the persona of someone in a position of authority, of a co-worker, of a new employee seeking assistance, a researcher, or even of a vendor calling to offer a system patch or update. He or she may even offer credentials to support the identity.
The social engineer has rehearsed the approach, and arrives with a fully loaded bag of tricks. Often, unwary victims willingly provide information at the slightest provocation. What can we do to avoid being taken in by this type of attacker?
We can begin by simply being aware that the social engineer depends on our willingness to help. We can still be nice, but we can be alert!
Things You Can Do to Sidestep an Attack
- Never reveal information over the phone to people you cannot identify with absolute certainty, even if they claim to be in a very high position of authority.
- Be suspicious of unsolicited phone calls, visits, or e-mail messages from individuals asking about employees or seeking other internal information. If an unknown individual claims to be from a legitimate organization, try to verify his or her identity directly with the company.
- Do not provide personal information or information about your organization, including its structure or networks, unless you are certain of a person's authority to have the information.
Some Warning Signs
Warning signs of an attack include when a caller:
- refuses to leave a callback number
- exhibits discomfort when questioned
- is flirtatious
- threatens negative consequences for non-compliance
- stresses urgency
The next time you answer the phone, remember that the person on the other end just may not be the person he or she seems to be.
|
