A man dressed in brown carries a package into your workplace. He strides toward the executive offices, pushes a door open, and walks down the hall.
On the plane, a woman one row in front of you opens her laptop. You see the slides as she edits the presentation. She works for a competitor to your organization.
The events might be harmless: a typical delivery or chance encounter with a competitor.
Yet the events also might be social engineering: a security attack that relies on expected behavior to obtain information. We expect to see a delivery person dressed in brown, yet the person’s mission might be to pick up information, not deliver a package. And the woman in front of us might not have expected us—a competitor—to purchase a seat behind her.
A social engineering attack often relies on misdirection. The attacker behaves in a way that appears normal, yet hides their intent to obtain restricted information. Unlike a magician who diverts our attention to amuse, a social engineering attacker misdirects us to steal.
A well-designed system helps defend against a social engineering attack. In the example above, a centralized package delivery location might prevent unauthorized access to executive offices. Similarly, two-step authentication might prevent unauthorized access to an online account—even if an attacker obtains a person’s password. Such systems often decrease convenience and increase security.
Ultimately, an informed and alert person remains the best defense against such attacks. To that end, consider the following practices.
Initiate, don’t respond
Never respond to an email, text message, or phone call that requests any personal or private information. Such messages are easy to “spoof”: to make appear as if they’re from a legitimate source, but aren’t.
If you receive such a request, contact the alleged source of the request directly over another channel. For example, if you receive an email from your bank requesting that you update your account information, call your bank at the phone number listed on your debit card. Don’t call a phone number listed in the email: that might be a fraudulent number.
Similarly, never click a link “to update information” in an email. Instead, type the company’s URL directly into your browser and login to your account. A link might take you to a site that appears authentic, but isn’t. Type links, don’t trust links.
Never provide account information over the phone—unless you placed the call. This especially applies to tech support services that will “call you back”. If you’re trying to resolve a tech issue, always initiate the call, never disclose information to an incoming caller. As above, don’t write down a number provided by the caller: look up the correct main support number, then call the person.
“Watch your six”
The phrase refers to numbers on a clock face: 12 is ahead of you, facing forward; to your right would be 3 o’clock. Six is directly behind you. So, watch your six means watch your back.
Always be aware of your surroundings—including people and objects outside your field of view. There may be people behind or above you. Look for them. An attacker might follow you past a door you’ve unlocked. Or observe over your shoulder as you type your password or PIN.
Even better, never work with sensitive information on your laptop in a public setting. If you must do so, sit like a lawman in a classic western: with your back to the wall.
False friends, public posts
Be aware of false friends online and in person. A lot of information about you might be available online: where you went to school, where you worked, your hobbies, your interests, family members, and networks of friends. Even places you frequent might be online, if you “check-in” at locations you visit.
All of that information can be used to establish false familiarity. “Oh, I went there too, did you happen to know Sue?” Such a phrase can reduce your reluctance to talk to a stranger. You’re simply reminiscing with a friend, right? Maybe not. Be careful not to disclose sensitive information in such a setting.
A solid security system may make it more difficult for a social engineering attack to succeed, and a backup system can help recover your data if lost or destroyed as a result of social engineering attack. But you’ll need an alert, attentive and security-aware person to identify and stop a social engineering attack in progress.