Social engineering
Things to know
Social engineering, in the context of information security, is the psychological manipulation of people into performing actions or divulging confidential information. This differs from social engineering within the social sciences, which does not concern the divulging of confidential information. (Source: Wikipedia)
In social engineering, the attack is often personal, with fake phone calls or direct contact. For example, the victim is asked to grant an alleged technician access to premises.
Social engineering methods can also be used to attack via email. "CEO Frauds" and sometimes phishing emails are examples of this.
CEO fraud uses emails to persuade victims to transfer money to the attacker or otherwise give them a financial advantage.
The attackers use false identities and push forward an urgent action. For example, the victim is allegedly contacted by a superior (e.g. an SL member) and, in the course of the unfolding mail dialogue, is instructed to make payments or purchase vouchers for online merchants.
Such an attack exploits the pretended hierarchical relationships and the helpfulness of people.
Stop social engineering attacks
With all the helpfulness - a healthy distrust is important.
Is the person in front of you, on the phone, or in the email really who he or she claims to be?
- If you have doubts about the authenticity of a call, interrupt the conversation. Search ETH directories or official telephone directories for the number and call the caller back.
- Check the sender address of the email by moving the mouse over the sender. Is the address known or plausible? If the sender is supposed to be internal, an internal sender address should be displayed.
- Address unknown or unexpected persons if they are in restricted areas. Why are they there? Who has hired them?
- Do not allow unknown persons to enter restricted areas unless you are informed about the event and the visit has been officially announced.
Ask yourself:
- Would the sender contact you about this matter? How likely is that?
- Do you know the sender's email address? Is it correct? If you are in doubt, try to find out the correct email address via another communication channel. You can also call the alleged sender.
- Do you really want to answer the mail? If so, do not use the «reply» function, but address your reply to the correct email address of the sender that you know.
- If you have replied to the email: Is the subsequent email dialogue plausible, credible? Are you to be tricked into triggering cash flows or revealing sensitive information?
Be skeptical. If in doubt, you can ask your IT support for advice.