If you have heard/seen these (or variations on these) . . .
- "I'm traveling in London and I've lost my wallet. Can you wire some money?"
- “I’m out of office. Remind me how to send a wire transfer.”
- "Someone has a secret crush on you! Click this link to find who it is!"
- "Did you see this video of you? Open the attachment!"
- "This is Chris from tech services. I've been notified of an infection on your computer."
- "You have not paid for the item you recently won on eBay. Please click here to pay."
- “….oh look. Someone dropped a flash drive. Wonder what’s on it?”
. . . you were (probably) a target for a social engineering attack.
Social engineering attacks can take many forms. In a social engineering attack, an attacker uses human interaction (social skills) to obtain or compromise information. Most users should be familiar with email phishing scams (a form of social engineering) and have been taught not to open attachments from unknown or untrusted sources or to visit untrusted web sites. However, there are other ways that a perpetrator might try to gain access to information or systems. Other examples of social engineering methods:
- IMPERSONATION: Attacker pretends to be someone else - for example, impersonating a senior manager from your organization or someone from the ITS Help Desk. The impersonation may occur over the telephone, in person, or via email. The perpetrator may try to make you feel obligated to assist, or under pressure to follow their directions. They may use intimidation or a false sense of urgency to seek your cooperation – prompting you to react before you’ve fully thought through the consequences.
- SYSTEMS AND PHYSICAL ACCESS: All too often, people will hold the door open for someone entering into a secure area or building without even knowing who the individual is or asking where they are going. The unauthorized individual may pretend to be a delivery person, a visitor, or even a fellow employee.
- SHOULDER SURFING: Attacker gains access to information by simply watching what you are typing or seeing what is on your computer screen. This is known as “shoulder surfing,” and can also be done by looking through a window, doorway, or simply listening in on conversations.
- BAITING: Attacker asks a variety of seemingly innocuous questions designed to probe for information. The attack is often done over the telephone but can also be done in person. Small amounts of facts are interjected at the right time into the conversation to make requests for information sound legitimate.
- SURVEYS: Surveys may be for legitimate purposes or might be a scam. In either case, be aware of unwittingly disclosing information that may be used inappropriately. For example, disclosure of details about Metro could prove extremely useful to someone with malicious intent.
- DUMPSTER DIVING: Searching through trash (“dumpster diving”) is a method used by perpetrators to obtain sensitive information.
- SOCIAL MEDIA & NETWORKING WEBSITES: Attackers use information you provide on social media sites. The more information you post, the more information is available for a perpetrator to use in an attempt to conduct a social engineering attack.
A Few Tips
- Do not provide personal information or information about you or Metro, including its structure or networks, unless you are certain of a person's authority to have the information.
- Don't fall for "Act NOW!" false urgency requests. Go slow and pay keen attention to fine details in emails and messages. Never let the urgency in attacker’s message cloud your judgment.
- Do not reveal personal or financial information in email, and do not respond to email solicitations for this information. This includes following links sent in email.
- Pay attention to the URL of a website. Malicious websites may look identical to a legitimate site, but the URL may use a variation in spelling or a different domain (e.g., .com vs. .net).
- Avoid being greedy on the web. If you never participated in a lottery, it goes without saying that you can never be the winner. If you never lost money, why would you accept a refund from the FBI?
- Never give out your password to anyone, even if they claim to be from “technical support.”
- Turn in "lost" USBs, CDs, DVDs or other devices to management or IT and DO NOT plug them into devices to access.
- Beware of fear tactics such as "Help me or the boss is going to be mad!”
- Be aware of your surroundings. Make sure you know who is in range of hearing your conversation or seeing your work. Computer privacy screens are a great way to deter shoulder surfing in public places.
- If you don’t know someone who is in a restricted area, look for a badge or a visitor pass. If you are unsure about their authorization or access permission, report the situation to the appropriate staff.
- Before you throw something in the trash, ask yourself, “Is this something I would give to an unauthorized person or want to become publicly available?” If you are not certain, always err on the side of caution and shred the document or deposit it in a secure disposal container.
- Be aware of your department’s data classification, destruction and retention policies.
Additional tips on social engineering