Skip to main content

Social Engineering, Why You Should Be Aware

This week EquiTrust celebrates national Corporate Compliance & Ethics Week.   The theme is, “Awareness. Recognition. Reinforcement.”  We want to educate our agents on how to better recognize social engineering efforts and prevent these attacks from succeeding.  The privacy and security of client information is of the utmost importance.

Social engineering attacks typically involve some form of psychological manipulation, duping users so they hand over confidential or sensitive data.  Most commonly, social engineering schemes involve e-mail that invokes urgency, fear, or similar emotions in the victim so they reveal sensitive information, click a malicious link, or open a malicious file.

What are the most common social engineering attacks?

  • Phishing – Most common.  Attackers can use emails, social media, instant messaging and SMS to trick victims into providing sensitive information like SSN or logon credentials in an attempt to compromise systems and obtain data.

  • Watering Hole – When malicious code is injected into the public web pages of a site that the victims commonly visit.  The attackers compromise the websites with a specific sector that are ordinarily visited by specific individuals of interest.

  • Whaling – What distinguishes this attack from other phishing scams is this targets the “big fish.”  The scam email is designed to masquerade as a critical business email sent from a legitimate authority, typically from relevant executives of important organizations.  The content of the message is usually targeted to upper management and reports some kind of fake organization-wide concern or high confidential information.

  • Pretexting – The success of this scheme heavily depends on the abilities of the attacker to build trust.  They will try and manipulate victims into performing an action that enables an attacker to discover and exploit a point of failure inside of an organization.  For example, an attacker can impersonate an external IT services operator to ask internal staff for information that could allow accessing system within the organization.

  • Baiting – Exploits human curiosity.  For example, an attacker may use a malicious file disguised as a software update or as a generic software.  An attacker can also power a baiting attack in the physical world by dropping USB drives in the parking lot of a local grocery store and wait for internal personnel to insert them into their business PC or laptop.

 

Ways to protect yourself:

 

  • Think before you click!

  • Don’t download files you don’t know.

  • Delete any requests for personal information or passwords.

  • Set your spam filters to high.

  • Secure your devices.

  • Always be mindful of risks.

 

scroll to top of page
? Questions?