Drive by Download
Generally speaking, we as humans want to help our fellow humans out. Unfortunately, this fact is abused by what are known as social engineers. Think of social engineering as people hacking. Social engineers attempt to manipulate people to get things they want, whether it be passwords, personal information, or access to restricted areas.
Social engineering isn't simple trickery, there is a well defined social engineering framework that is highly-detailed and contains specific methods of attacks, situation-based exploits, means of eliciting compliance, etc. More details on other aspects of social engineering can be found in Chris Hadnagy's book on the topic.
No one wants to become a victim of a social engineering attack, so it's important to be able to recognize an attack in progress, and be able to respond to it appropriately.
Here Are 4 Tips for Recognizing a Social Engineering Attack:
1. If Tech Support Calls YOU It Might be a Social Engineering Attack
How many times have you called tech support and waited on hold for like an hour? 10? 15? How many times has tech support called you wanting to help you fix a problem? The answer is probably zero.
If you do get an unsolicited call from someone claiming to be tech support, this is a huge red flag that you are likely being set up for a social engineering attack. Tech support has enough incoming calls that they are not likely to go looking for problems. Hackers and social engineers, on the other hand, are going to try and obtain information such as passwords or try to get you to visit malware links so they can infect and or take control of your computer.
Ask them what room they are in and tell them to come by your desk. Check their story, look them up in a company directory, call them on a number that can be verified and is not spoofed. If they are in the office, call them using their internal extension.
2. Beware of Unscheduled Inspections
Social Engineers will often pose as inspectors as a pretext. They may carry a clipboard and have a uniform to help sell their pretext. Their goal is usually to get access to restricted areas in order to obtain information or install software such as key loggers onto computers within the organization that they are targeting.
Check with management to see if anyone claiming to be an inspector or other person not commonly seen in the building is really legitimate. They may drop names of people who aren't there that day. If they don't check out, call security and do not let them into any part of the facility.
3. Don't Fall for "Act NOW!" False Urgency Requests
One thing that social engineers and scammers will do in order to bypass your rational thought process is to create a false sense of urgency.
The pressure to act quickly may override your ability to stop and think about what is really happening. Never make quick decisions because someone you don't know is pressuring you too. Tell them they will have to come back later when you can vet their story, or tell them you will call them back after you have verified their story with a third party.
Don't let their pressuring tactics get to you. Check out our article on How to Scam-proof Your Brain for some other tactics used by social engineers and scammers.
4. Beware of Fear Tactics Such as "Help Me or The Boss is Going to Be Mad"
Fear can be a powerful motivator. Social engineers and other scammers take advantage of this fact. They will use fear, whether it's fear of getting someone in trouble, fear of not meeting a deadline, etc.
Fear, coupled with false urgency, can totally short circuit your thought processes and make you vulnerable to complying with Social Engineers' requests. Arm yourself with knowledge of the techniques they use by visiting social engineering websites such as the Social Engineering Portal. Make sure your fellow coworkers are educated on these tactics as well.