Your phone rings at work. The caller says he is from your IT helpdesk, and they need some information from you to wrap up a project that affects you. He asks for some information, and it seems legitimate enough, so you give it to him. Believe it or not, you’ve just fallen victim to a type of cybercrime called social engineering, also known as the “low-tech hack.”
Social Engineering is the art of manipulating people to get confidential information. It is a method of gaining access to company resources such as premises, systems, or resources through low-tech means. Relying almost entirely upon human interaction, hackers often prey on peoples’ “fear of offending” to get the information they want.
Social Engineering usually involves soliciting seemingly trivial information which, when combined with other information, will allow an attacker to:
Bypass normal processes, procedures and security controls
Convince employees to not follow normal security procedures
Trick people “in the know” into divulging information they did not intend to share
We see activity like this happening to our Partners more and more frequently.
How They Do It…
When Hackers reach out they might:
Ask a question (in-person or on the phone) like:
“I am with the Helpdesk and need to remotely access your computer.”
“I am a traveling user and need a password reset.”
“I am with the Helpdesk need you to reset your password.”
Urgently ask for your help
Send an email that appears to be from a friend or colleague asking you to click a link, download an image, video, etc.
Request to access your computer remotely for support reasons
Request you donate to a charitable cause
Act like they are responding to a “support request” that you never made
Drop a flash drive or CD in the parking lot, lobby or other area on-premises hoping you insert it in your computer to “check it”
These attacks can take any shape or form, limited only by the hacker’s imaginations. However, there are several simple steps to avoid becoming a victim of social engineering:
Slow down. It it’s highly urgent or uses high-pressure tactics, be skeptical. Someone else’s urgency doesn’t constitute an emergency for you.
Research the facts. Be suspicious of messages from people you don’t know. If the company is new to you, Google them first.
Delete any and all requests for financial information or passwords in email. If you’re curious or concerned, contact the company directly through regularly promoted channels.
On the phone - ask. If they don’t mention their company name, ask for it. Ask them exactly what “support request” they are referring to. Ask them how they got your information. If you get vague answers, just hang up. If it’s an email, delete it.
To keep the upper hand on these low-tech hacks, requests like this should always be vetted before acting on the request.