Social Engineering Protection
Social engineering is one of the most effective ways to gain access to information. It is way simpler and often far more effective than hands-on technical hacking.
You should be vigilant and attentive to the activities that are happening around you. Most social engineering attacks happen because you are trying to be as accommodating as possible to some form of “urgent” or “highly important” request by the attacker.
Be Mindful of Surprises
The goal of a social engineering attacker is to have you give them the advantage as quickly as possible. They will work to play on your emotions and use those emotions to get you to “bend” a policy or sidestep a process for them. They will also often develop a backstory to make you believe you are not the first person they’ve communicated with. For example, you could be contacted by a customer who claims they have been working with one of your co-workers or that knows one of your neighbords. They may even name drop and support the validity of their acquaintance with your coworker by mentioning a detail seemingly only someone who knows this coworker would know, such as a recent life event.
Next, they may tell you that they too have had a recent life event (such as a new baby, or a family death) and say it in such a way that will play to your emotions and justify discounting their ability to be delayed by the normal process you would follow to fulfill their request.
These requests could come to you in the form of an email, a phone call, a live chat or a text message. The social engineer’s goal is to get to someone who will listen to them and then follow instructions towards the social engineer’s desired outcome.
Anytime someone drops a name of a coworker or acquaintance, you should always validate this with the person whose name they dropped. If your contact does not know who this person is, there is a good chance this is a scam or some social engineering technique is being used against you.
Tune into the Sense of Urgency
While you are talking with anyone, tune in to the sense of urgency they are portraying. Very often, once a social engineer has obtained credibility with you with regards to their backstory, they will then attempt to impart a sense of urgency. They know that once they have sold you on why they are asking you to help them, they will not have much time before you begin to second guess their intentions. This means they need to inject a sense of urgency to get you to act before your sense of awareness kicks in.
Another technique social engineers will utilize involves creating artificial deadlines that will also play on your emotions. They will pull other people into the situation to make it seem as if it is not about them but about others being harmed if you don’t act quickly to help them.
Remember: Stay calm and focus on weeding through the complexities that have been tossed at you in this situation. Consider the relevance of how those details weigh on the actions being asked of you.
While unfortunate, the fact that the person contacting you just had their father pass away should have zero impact on the decisions you make or information that you provide.
Consider Your (and Others’) Privacy
Depending on the vector the social engineer is using, it is possible you may actually only be a stepping stone towards their goal rather than the direct medium for attack. This is usually the case if they determine that you are not able to help them or do not have access or the ability to do what they are interested in.
Always consider your own privacy and the privacy of others around you, especially when dealing with unsolicited contact from someone that needs your help “right away”.
You should be very careful about providing personal information about yourself, your family members or your friends to any strangers.
Watch Out for the Hook
The final phase of a social engineering attack is called the “hook”. The hook might be as small as finding out the name of your boss or their phone number. The hook could also be sending you an email and asking you to view an attachment. It might be getting you to perform an action that would never be permitted under any other circumstances except at this very moment - in your mind. When you combine all the items being thrown at you by the social engineer, it may seem acceptable and reasonable to think “just this one time”.
(This guide is part of a series on Personal Security.)