Social Engineering

Slide 1

This security awareness module covers social engineering, which is a technique used to trick people into performing dangerous actions after a two-way conversation has been established.

Today you will learn how to identify social engineering, including some examples of common attacks, and why social engineering puts you at risk. You will also learn how to defend against social engineering attacks before, while, and after they are in progress.

Slide 2

Social engineering requires someone to contact you, gain your trust, and then trick you into performing a specific request.

Social Engineering frequently occurs over the phone, through text messages, or through an online chat session. Let’s listen to an example to understand how social engineering can occur over the phone.

Slide 3

(Phone Ringing) Hello? Hi, I work with National Supplies. Our accounts receivable system has just gone down, and it might be down for a week. I need you to sign on to purchasing and switch the next payment from P.O. to a paper check. Can you do that for me? Oh OK sure, I can take care of that. Where should we send the check? Did you hear the social engineering in this conversation? In this case, the target was convinced to send money to an address provided by a complete stranger. Could you be the victim of a similar attack? Pay attention as we look at a second example of how social engineering could occur in a text or chat session.

Slide 4

Did you see the social engineering in this conversation?
In this case, the target was convinced to click on a dangerous link provided someone who shouldn’t have been trusted. Would you have fallen victim to an attack like this? Hopefully not, but social engineering attacks like this succeed more often than we’d like to believe.

You’ve just received this text, and you don’t remember meeting the sender. How would you proceed safely? Select all actions that are safe, then click Submit.

That’s right!

You could ask the host of the party if they recognize the number or ignore the person’s messages. It would not be safe to view the picture or call the person back on the number provided.

Click anywhere to continue.

Sorry, but that’s incorrect.

Click anywhere to try again.

You must answer the question before continuing.

Slide 5

Now that you’ve seen a few examples of what social engineering can look like, let’s discuss how you can identify social engineering attacks. There are usually three indicators of a social engineering attack. They are:

● A request from a stranger to perform a suspicious activity

● A sense of urgency and pressure to complete the request immediately

● Anger or hesitancy if you ask for proof of identity

Slide 6

A second indicator of social engineering is a sense of urgency. An attacker wants you to act now, before you have a chance to think or verify. In these situations, it is important to resist the urge to act immediately, regardless of any pressure you may feel.

A third indicator of social engineering occurs when the other person is hesitant to prove they are who they say they are. If you’re talking to someone you don’t know and they are defensive or hesitant when you ask for their credentials, they could be an attacker.

Fortunately, there are often multiple opportunities to stop a social engineering attack before it does any real harm. Three of the most effective defenses are to: Challenge the requester’s identity, Verify the suspicious request with your supervisor And Slow down or pause the interaction.

Is this a social engineering attack? Select Yes or No.

That’s right!

This is not a social engineering attack. You aren’t being asked to divulge information that could damage the company, and you know the person making the request. While there is a sense of urgency, the supervisor isn’t pressuring you to act before you have a chance to think.

That’s incorrect.

This is not a social engineering attack. You aren’t being asked to divulge information that could damage the company, and you know the person making the request. While there is a sense of urgency, the supervisor isn’t pressuring you to act before you have a chance to think.

Slide 7

If a stranger makes a suspicious request, you must challenge their identity. Ask the person for proof of who they are and where the request is coming from. This might include an account number, names and contact information for supervisors, or other private information. The exact challenge you need to provide may already be specified by company policy. If the stranger cannot prove who they are, escalate the request to your supervisor.

All suspicious requests should also be verified with a trusted authority, such as your supervisor, before proceeding. You should be especially suspicious of requests to make financial or access control changes, or to post documents or files to the Internet.

You have now completed your Social Engineering training. Please review the following takeaways and then click Continue to end the module.