Social Engineering (they're trying to con you)

Social Engineering (they're trying to con you)

Social engineering is the act of extracting information and/or access to information, from someone who has the information or power to do so, by acting under false pretenses

You need to keep aware of this potential method of attack and understand the proper channels through which such requests for information should be made through.

One type of social engineering we see frequently is called PhishingPhishing is the act of sending e-mail to a user falsely claiming to be an established legitimate enterprise in an attempt to scam the user into surrendering private information that will be used for identity theft.  For information on how to protect yourself from phishing, to view recent phishing attacks, or to report phishing, see the Anti-Phishing Working Group website at http://www.antiphishing.org/

Is he who he says he is?

Social Engineering relies on exploiting the assumptions people make about the authority and identity of others. This can come in one of two common forms; 1. the attacker pretends to be a person of authority and demands access or information; 2. the attacker pretends to be in a position of confusion and vulnerability who needs you to help him complete a task by letting him use your computer or e-mail account.

It can be difficult to detect those who are truthful and those who are faking their identity. So rather than trying to guess who is real and who isn't, it's best to approach each situation with a set of guidelines to follow.

Guidelines for dealing with requests for sensitive information

  • No matter what, do not give out your password to anyone. No one should ever have to ask for your password and any such request should be met with a confident "no". Network and telephone administrators have access controls in place so that they do not need your passwords to perform their duties.

  • If a person is in need of help direct them to the proper people rather than try to help them yourself. A person who has lost their password or needs help accessing their voicemail can call the helpdesk at extension 2555.

  • Do not allow access to your computer through your account. If someone needs to use your computer to get online, log yourself out of the computer and have that person log in under their own account. No matter how urgent the request is, the few extra seconds this costs can save much more in terms of your information security.

  • Always ask yourself "does this person REALLY need to know this information?" If you have even the smallest doubt, the answer is a very big NO.

Examples of Social Engineering

  • The Con:
    A person contacts you claiming to be a system administrator. He claims your account is broken and needs your password to fix it.

    The Truth:
    A network administrator should never have to ask you for your password. Any time someone asks for your password ask them why they need your password and on whose authority they are requesting it. Then tell the person you need to confirm this and ask for their name and telephone number. Try to get as much information about the situation and report this suspicious activity.

  • The Con:
    A person contacts you claiming to be from a credit card company. They need to verify your account and ask for your credit card number and expiration date.

    The Truth:
    A credit card company will not call you and ask for personal information such as this. Like the previous example, collect as much information about the caller as you can. Get a name, telephone number, and anything else. Then call your credit card company and report the incident.

  • The Con:
    A person contacts you claiming to be a new staff member. He has forgotten his password and asks you to give him yours because he needs to get into the system very quickly or he'll be in trouble with the boss.

    The Truth:
    This could be a very innocent request, but there are grave dangers in giving out your username and password. An attacker could be posing as a new employee.

  • The Con:
    A person walks into the office claiming to be a computer or telephone repair man. He asks you for your computer or voicemail password.

    The Truth:
    College staff will not ask you for your username or password or PAC number. The only time such information may be needed is for a phone repair person who needs to confirm that your voicemail system is working. In cases such as this you should be the one who enters in your PAC or voicemail password. If the person complains or is persistent in the request, contact the appropriate department and report the incident.

Examples of Phishing

 

Top

Last Modified: May 7, 2008