Recognizing and Responding to Social Engineering Attacks

Social engineering is a tactic used by attackers to manipulate people into giving away sensitive information or access to systems.
Instead of directly hacking systems, attackers exploit human psychology through deception.

Impersonation:
- The attacker pretends to be someone you trust, like a coworker, manager, or IT technician.
- Example: “This is IT. We need your password to update your account.”
Urgent Requests:
- The attacker creates a sense of urgency to pressure you into acting quickly without thinking.
- Example: “Your account will be locked in 10 minutes unless you reset your password using this link.”
Pretexting:
- The attacker fabricates a scenario to gain your trust or make their request seem legitimate.
- Example: “We’re conducting a company survey. Can you confirm your login credentials for access?”
Phishing:
- The attacker sends fake emails, texts, or messages to trick you into clicking malicious links or sharing personal data.
- Example: “Your package couldn’t be delivered. Click here to reschedule.”
Baiting:
- The attacker entices you with free items or offers to get you to reveal information or install malicious software.
- Example: “Download this free software to speed up your computer.”
Tailgating and Piggybacking (Physical Security):
- Someone follows you into a restricted area by pretending to have lost their badge or acting like they belong.

Pause and Think:
- Do not act immediately, even if the request seems urgent.
- Social engineering relies on pressuring you into quick decisions.
Verify the Identity of the Requester:
- If the request comes via email:
  - Check the sender’s email address carefully for typos or unusual domains.
  - Example: “support@company.com” is legitimate, but “support@companny-secure.com” is not.
- If the request comes via phone:
  - Politely hang up and call the person or organization back using a verified number from their official website.
Ask Questions:
- Genuine individuals won’t hesitate to answer verification questions.
- Ask specific details only the real person would know.
- Example: “Can you confirm my manager’s name or the IT ticket number for this issue?”
Verify Links:
- Hover over any links in emails or messages to see the URL without clicking.
- Ensure the link matches the organization’s official website.
- Example: “www.bank.com” is legitimate, but “www.bank-secure-login.com” is not.
Use Official Channels:
- Always verify sensitive requests by contacting the organization directly through their official website or phone number.
- Example: If IT asks for credentials, reach out to the IT department through the company directory or help desk system.
Trust Your Instincts:
- If something feels suspicious, it probably is.
- Report the incident to your IT or security team immediately.

Scenario 1: An Email Asks for Your Password
- What to Do:
  - Do not reply or click any links.
  - Contact IT and forward the email for verification.
Scenario 2: A Phone Call Claims to Be from IT
- What to Do:
  - Politely ask for the caller’s name and department, then say you’ll call back.
  - Use the official IT help desk number to verify their identity.
Scenario 3: A Stranger Asks to Borrow Your Badge to Enter a Restricted Area
- What to Do:
  - Politely refuse and report the incident to security.

Do Not Share Personal or Work Information:
- Never give out passwords, security codes, or account details, even to people claiming to be from your organization.
Be Wary of Urgent Language:
- Legitimate organizations will not pressure you into immediate action.
Use Multi-Factor Authentication (MFA):
- Even if someone obtains your password, MFA prevents unauthorized access.
Report Suspicious Activity:
- Notify your IT or security team if you suspect a phishing or social engineering attempt.