Social Engineering is Amazing- Until You Become a Victim

1. In 2011, attackers emailed employees of EMC, parent corporation of RSA, an excel spreadsheet entitled “2011 Recruitment Plan,” which was opened by 4 employees, deploying a zero-day Flash exploit and installing backdoors in the employee work machines.
2. A “red teamer” tasked with testing corporation corporate security said in an “AMA” interview on Reddit.com that he often employs the tactic of sending company employees an email with a link confirming their subscription to an adult pornography website. Within this email is an “unsubscribe” link and he says, “You have never seen someone in an office click the unsubscribe links that fast.”
3. In 2015 the accounting department of a large company received an emailed list of balance transfer instructions (supposedly) from the company’s Hong Kong subsidiary. $47 million was transferred to the hackers before the company caught on.
4. A recent social engineering campaign on several of the largest social media platforms involved attackers using stolen credentials to message a link entitled “Did you see this video of you?” to people on the friends list. As the message looked like it was coming from a friend, countless people were redirected to a fake site and asked to enter their passwords and information – and many did.
5. The “red team” founder of a prominent USA security consultancy says his most effective scam is calling a target and saying "I've been informed that you've been infected with this worm.” After he walks them through several screens, they will see things like registry lines and start to get nervous about how technically complex the issue will be. Eventually he suggests, “Look, why don't I fix this for you? Give me your password and I will deal with it and call you back when I am done.”
6. Not all social engineering is done behind a screen! A widespread tactic used by social engineers and hackers looking for hands-on access to a corporations network is to bring cookies, donuts or pizza to an office – dropping it off and continuing about their day – with free reign of the office computers. They also love to “tailgate” or wait in smoking areas and follow employees inside after smoke breaks.
7. Countless hackers and red teamers alike leave USB sticks laying around in parking structures and outside buildings hoping an unsuspecting person will pick it up and check it out on their computer.

1. Be suspicious of tech support calls. How many times has tech support proactively identified a problem and approached you? It’s never happened to me!
2. “Act Now” and “Urgent” requests should be scrutinized carefully. Personally, if I’m in a panic to get something from a co-worker, the last thing I’m going to type is “Urgent.” I’d go for a more “Hey! Sorry to bother you but I need blah blah blah…” or “I need this before blah blah blah time for this specific project.”
3. Look…if you see a “forgotten” USB stick laying around somewhere – the chances are you don’t need to see what is on it. You want to try to return it to the owner? Leave it in lost and found.
4. Phone calls or SMS requests for password and personal information is unusual. A company (insurance, bank, etc.) who is calling YOU should have access to this information – and again, how many times has a bank called to proactively deal with an issue with your account? Customer service just isn’t that good anymore.
5. Look at the URL, spelling, grammar and read emails (even from friends) for contextual clues before clicking a link.
6. It’s nice to let in employees who have forgotten their key-cards. I do it every chance I get…but use your best judgement.