We’ve all heard of viruses that infect our computers after we go to a website or download a file we shouldn’t. We might not be as aware of social engineering: security compromises that result from real human interaction. There are five main ways this can happen.
A hacker creates a scenario where you feel comfortable confiding personal information. Imagine you receive a call from what you think is your bank asking you for your login information. Sure, why not? They are your bank, after all.
WRONG. These calls can sound very legitimate, but your bank should have policies in place that bar their employees from asking you for your login information out of the blue. If you receive a call like this or about a similar situation, take certain measures to verify the legitimacy before handing over sensitive information.
While pretexting relies on a sense of trust to gain information, phishing uses fear. Maybe you get an email, supposedly from your bank, claiming someone tried to access your account. To secure your account, the bank needs to verify your identity. The email will urge you to act quickly, hoping panic will cause you to divulge personal information or click on an unsafe link.
If you have reason to believe the email is from a legitimate business, get their phone number from a verifiable source – their website or a monthly statement or bill – and call. Keep in mind that only links starting with “https” are secured and thus safe to enter information on.
Like a worm on a hook, the hacker dangles something enticing and hopes you’ll bite. Maybe it’s an offer for a free music download or advance access to a new software. Looks interesting. You click. You’re infected with malware.
Quid pro quo is similar, except the hacker offers compensation in exchange for information. Maybe she says she needs a certain number of passwords for a software’s trial. She offers a reduced price on the software in exchange for your help.
Assume two things. Something that sounds too good to be true is, and someone with good intentions is not going to ask for your password.
You get an email or pop-up claiming your computer has a virus. You click on the link advertising a quick fix and try to go back to work. Except your computer didn’t actually have a virus. The link you clicked was a virus, and now your computer really is infected.
You should have an antivirus program installed on your computer. If you get an email or popup claiming you’ve been infected, open what you know is your real antivirus program and run a scan or call an IT professional to take a look.
Piggy-backing or Tail-gating
At companies that don’t require IDs or key cards to get past the lobby, a hacker may pretend to be visiting an employee or dropping off a package. In an attempt to blend in, he’ll chat with employees or even set up camp at an empty desk. Sometimes we’re too embarrassed to admit we don’t remember someone who seems to know us, but in this case being overly polite could compromise security.
If you don’t recognize someone in your office, ask management about them. If that’s not possible immediately, do your best to keep an eye on the person and ask friendly questions. Whether you’re aware of a suspicious presence or not, make sure sensitive materials are secure and your computer is locked whenever you are away from your desk. Do you keep your password written on a Post-It note under your keyboard or in your desk drawer?
If you’re overwhelmed, it helps to remember there are a lot of common threads in protecting yourself and your company:
- Slow down, pay attention to small details, think things through
- Verify what people say, especially if they try to rush you
- Doubt the quick fixes and free offers
- Did I mention never give out your password?
If you have any questions about protecting your organization from threats like this, you can send us an email or give us a call at 502-240-0404!