Security does not stop or even start with the technology. People are still the weakest link in the security chain. It is important to be aware that if you are a target for social engineering or a corporate espionage attack, you are not the weakest link for your organization. Both Social Engineering and Social Engineering testing is becoming more and more prevalent. Here are the top 5 things to look out for to avoid being an exploited social engineering target.
Improper Requests for Information
Not every question asked of you is someone trying to trick you, however, the best social engineers tend to ask subtle questions asking for only small pieces of information. Be aware of questions asking for the names of employees, specifically the questions that request the names of IT/security personnel (as they have permissions to everything) or executives/management (as they can use those names in future calls to seem important). Any question asking what your password may be is an obvious red-flag. Request for information that is not within your realm or the request that is made by someone that really does not need the information is also good indicators.
Request for Information to be Sent to a Non-company Email Address or Location
Social Engineers will often pretend to be an employee and if your company is large enough, then the likelihood is high that you will not recognize the name. They may even use the name of a real employee. If they request that you send information to an email address that is not a company address then be suspicious. “Hi, I am Rob Smith from accounting; can you send me the contact sheet for the company to my hotmail email address? I am having trouble with my work email at the moment.” If they are having trouble with their email they should call tech support. Restrictions in sending confidential information to employees to non corporate email address should be covered in your
email security policy.
Someone Important is Contacting You
If a senior executive or government official is contacting you with a simple request then be wary of them especially if that is not the norm for your job. Even if you are on a helpdesk for your company and the CEO calls and asks you to change their password, make sure you verify this request, make sure that they are who they say they are. Your
CEO may growl at you for questioning their stature, but so will a potential social engineer masquerading as them. If you are being social engineered and fall for this you’ll likely get to meet your CEO anyway…gulp.
Co-op Students
Commonly known for being inexperienced, treated as worker bees, and often left alone. They are the perfect role for a Social Engineer to impersonate as it is likely no one knows who they are. As a Co-op student the Social Engineer can make multiple mistakes on the phone and the employee will simply chalk it up to them being new and inexperienced.
Email That Looks Real
A Social Engineer will masquerade as an employee, perhaps the helpdesk, and send out emails to employees from email accounts that look so much like your company that you will not even notice. If your company’s normal email accounts end in @acme.com then watch out for @acmo.com. The subtle differences can net Social Engineers passwords and much more.
Summary
Social engineering is the art of deception. It is the attacker trying to fool you into giving them information you would normally not disclose. These attackers are very skilled at asking questions, sending emails that almost look true enough that you will expose information. When you feel uncomfortable in answering questions do not hesitate in passing the request to a manger or your
floor marshal.
