Social engineering is the art of manipulating people into giving up confidential information or access to restricted areas. Their attacks can come through emails, text messages, over the phone, via social media, in person, and more. Someone launching a social engineering attack won’t ask one person for the entire information they need. Instead, they will gather a lot of seemingly harmless information from many sources and use it to look legitimate.
- Understand common ploys and scams used by social engineers
- Always follow policies and procedures
- Verify information using official sources
Common Social Engineering Attacks
- Acting forgetful (e.g., “I forgot my key, can you let me in this once?”)
- Playing to your sense of compassion (e.g., “I need this information to finish my work, my boss is going to fire me if I don’t”)
- Leveraging empathy (e.g., “Today is about to kill me…the stress! I just need someone to let me use their computer to print a document real quick”)
- Acting with authority (e.g., “I am here from IT to install some new software for you.”)
- Threatening you or others (e.g., “I am here from IT to audit your department's desktops. I’m going to tell your supervisor you wouldn’t help me.”)
- Offering an incentive or reward (e.g., “I’ll buy you coffee if you help me out this one time.”)
Enforce Policies and Rules
Anyone with a legitimate claim to information or access to machines or areas should never be upset with you when you adhere to policies and procedures. If a situation makes you feel uncomfortable, reach out to others.
While there are a number of university policies to follow, never share your password or enter your password for another person, leave your computer unlocked or unattended, allow someone entrance into buildings or rooms restricted by a key or keypad access, etc.
Someone launching a social engineering attack will often have conducted thorough research, collecting information from a number of sources to avoid suspicion, and will have fake resources created to help strengthen the attack.
For example, someone claiming to be from a credit card company or phone company may set up a fake phone number and tell you to contact the number to verify their identity. Instead of relying on information given to you by someone you don’t know, locate the company’s legitimate phone number to verify the person’s claim.