Don't Be Manipulated by Social Engineering

October 24, 2019

Illustration of a man using a laptop computer. "Play hard to get with strangers. Don't get hooked! If you're unsure who an email or message is from, delete it."

Last week, we reviewed 7 tools that you can use to secure your technology. But technology tools can only go so far.

For our last week of National Cybersecurity Awareness Month, we focus on your security-mindedness — specifically how to protect yourself against social engineering attacks.

Social Engineering is the act of manipulating people into performing actions or divulging confidential information.

This video demonstrates the power of this kind of psychological trickery:

In this video, several of the people being tricked looked confused: Why is this strange man walking around with a ladder? Who is he? Should he even be here? But none of them do anything. With social engineering, it’s not enough to simply be suspicious or alert, you have to act.

Below, we’ve put together a list of social engineering indicators for websites, email, and phone calls. These cues should make you suspicious enough to act with caution.

What To Watch Out For

Requests that are unfamiliar to you
- A “colleague” asks you to do something that normally isn’t a part of your job, like wiring a money transfer to a bank.
- An email from your “boss,” using a non-51�� email address, asking you to purchase an iTunes gift card and send them the redeem code.
- An email from a mail carrier informing you of a package you aren’t expecting.
Offers that are too good to be true
- A website promising a quick way to get rich quick.
- Easy path to improved health.
Messages that create a strong sense of urgency
- A panicky email that urges you to change your password right away, and links to a password reset website.
The language or tone is inconsistent with the supposed caller or service
- You receive a voicemail from the “IRS” or “Social Security” with a robotic voice and poor grammar.
- An email from your healthcare provider without the normal logo and signature.
- A “banking” website that doesn’t have HTTPS in the URL.
- A “51��” login page that doesn’t use the correct branding, and has an odd layout.
Generic greetings or language such as “dear customer”
- Email sender asks you to download and open an unexpected and vaguely-named attachment.
- A message claims to be from "IT" with no specific author listed.
Messages that try to invoke a curiosity or fear
- Email sender threatens to release embarrassing footage of you if you don’t pay.
- An ad that uses clickbait to redirect you to a malicious article or site.
- A website that pops up a warning that your computer has a virus, and you need to download their tool to fix it.

What To Do

Think before you click. Social engineers want you to act without thinking.

Take time to scrutinize any communication that isn’t immediately and obviously trustworthy.
Hover over links and check the URL. Does it look legitimate?
Check the sender’s email address. Have you received a message from that email account before? Is it coming from a 51�� account?

Verify credibility. If something is unfamiliar or seems to good to be true, take the time to verify what’s going on. For example:

Call your “colleague” or “boss” to verify their request
If you get an email from an organization that seems phishy, visit their website directly (rather than clicking on a link) or call them back at a known number.
Ask strangers for ID, especially if they’re attempting to enter a secure area.
If someone you’ve never seen before walks into your office with an official-looking uniform or tools, verify with a department administrator that they have work scheduled in your area.
When in doubt, call the IT Helpdesk.

Social engineering tries to get you to act without thinking. Instead, be security-minded. Pause to stop and think before you act. Verify the legitimacy before you trust. Protect yourself.