A security topic that never fails to captivate an audience is “social engineering.” In its simplest form, social engineering happens when a person uses trickery to manipulate someone into doing something or sharing confidential information. In today’s digital economy, it's easier and more efficient to use technology like email to facilitate the theft of identities and sensitive data.
Electronic social engineering, also known as “phishing” usually arrives in your mailbox as SPAM; unsolicited, usually tasteless, and for many organizations, more frequently than you’d like. The email is designed to grab your attention and evoke a knee-jerk reaction. Popular topics include:
“We have $50 million dollars for you in a Nigerian bank…”
“I saw you on YouTube…”
“Your bank account has been breached…”
Some phishing emails are clearly bogus -- misspelled, atrocious grammar, and flat-out offensive. These are easy to spot if they make it past your SPAM filter. Other emails are very crafty – seasoned with enough fact to raise your curiosity and lure you into a trap. Follow these tips to keep from getting hooked.
Stay alert. If someone secretly put a scorpion in your filing cabinet, you’d be pretty stunned when you reached in for the Jenkins file. After getting stung once, you’d be very cautious every time you went for a folder. Others who heard about your incident would be cautious too, hesitant and suspicious as they peered into their cabinets. As strange as this metaphor may be, there are also dangers lurking in your corporate or personal email box.
Employees are under constant attack from cyber criminals. Often, they do get “stung.” While there’s no physical pain involved, the impact of a personal or corporate data breach can be extensive. Needed is a level of awareness that protects us from the very real dangers that secretly enter our mail boxes and wait to catch us off guard.
Do not react. Social engineering attacks are effective because they create an emotional response that surprises the victim and temporarily forces their common sense into neutral. Stay calm and follow these tips to keep you safe:
· Legitimate correspondence is well written and courteous. It should not make you irate, embarrassed, or scared.
· If you don’t use PayPal, eBay, or other online services, do not respond to emails from them. Simply clicking the link can infect your computer with information stealing software.
· If you receive an alarming email from an organization with which you do conduct business, call the number printed on official correspondence like a bank statement. Do not follow web site links, provide personal information, or open any attachments.
· Pay attention to the spelling of web site addresses. There’s a big difference between “bancone.com” and “banc0ne.com” – one might have your money; the other one will steal your money after you’ve unintentionally given them your bank information.
· Bookmark and refer to the Web sites you know you can trust. Do not follow links sent to you via email.
Verbally report the incident. Whether you’ve been tricked by a social engineering attack or identified the scam and resisted, it’s critical to report the incident. Follow these steps:
· Immediately contact your IT department by phone or in person. Voicemail is not sufficient – be sure someone knows. Your PC may need attention. The faster you respond, the lower the impact.
· If you successfully caught the scam, you still need to contact your IT department as soon as possible. Others in your organization may also have been targeted. If you’re quick enough, IT can send an email to warn your co-workers.
· Do not forward the phishing email to a group of people. There’s always one curious recipient that has to know whether or not the scam is real.
Phishing attacks are the tactic of choice for identity thieves focused on committing fraud in your name. At their worst, a phishing attack may allow a crime ring to penetrate your company and steal the identities of your clients. For a company that is breached, the negative publicity coupled with the poor economy could spell business disaster. Keep yourself and your organization safe by staying alert, not reacting, and reporting suspicious email immediately.
Comments