InfoSec Blog - Why Social Engineering Works and How to Protect Yourself
April 2, 2019
Human beings are amazing! We have infinite capacities for caring, creating, learning, and sharing. But we are not perfect. Everyone of us has fallen victim for some type of scam or fraud in the past, and our inbox is targeted almost daily with credential phishing messages or offers that are too good to be true. Our humanity is the reason that these scams work. It's called Social Engineering, and the people that are very good at it will try to use your emotions against you.
What is Social Engineering?
The most simplified definition of social engineering is the art of manipulating people so they give up confidential information.
How Can My Emotions Work Against Me?
A skilled social engineer will exploit your reactions and your emotional responses to get what they want. Here are some examples of what emotions they may try to use against you:
- Curiosity - "who visited your social media profile" scams and offers of exclusive events or content
- Fear - threats of blackmail, tax scams, cold call scams, fake software updates, and fear of missing out (FOMO)
- Desire and Greed - romance fraud, catfishing, money/lottery related scams
- Empathy/Sympathy - disaster relief fraud, medical fraud, "lost in another country and need money" scams
- Doubt - payment based scams, iTunes scams
- Ignorance/Naivete - gift card scams, cryptocurrency scams
- Carelessness/Inattentiveness/Complacency - dumpster diving, typo-squatting and tailgating/piggybacking
The good news is that awareness of social engineering is the first step to protecting yourself from it. Below are several tips that you can use to stay safe:
- Learn how to spot phishing messages and job fraud messages
- When you receive a suspicious message, verify it via other another means of communication (i.e. CCS Help Centre, official website, phone call, etc.)
- When you receive an urgent request, think it through instead of immediately responding
- Refrain from answering calls not in your contact list and numbers you don’t recognize
- Treat every unsolicited call as a scam and ask tough questions
- Avoid giving out personal or sensitive information to unknown parties
- If something doesn’t feel right on a phone call, hang up, and look for information online about the nature of the call. The Canadian Anti-Fraud Centre is an excellent resource.
- Never give out information like names, department names, and other information known only within your organization or department and avoid talking openly about that information when in the public places.
- Always check for identification to identify unknown people in secure areas and verify their purpose for being there
- Refrain from filling in surveys or playing games that require you to log in using a social media account
- Practice safe browsing habits. Keep your browser patched, don't click on pop-ups, use a pop-up blocker, avoid clicking on unknown links, and only visit known and trustworthy sites.
If you are interested in reading more about social engineering, here are a couple of interesting recent articles on the subject.
- Social engineering attacks: What makes you susceptible? - https://blog.malwarebytes.com/cybercrime/social-engineering-cybercrime/2018/08/social-engineering-attacks-what-makes-you-susceptible/
- Manipulation tactics that you fall for in phishing attacks - https://www.helpnetsecurity.com/2018/09/20/manipulation-tactics-phishing-attacks/
Written by: Stephen Willem (Chief Information Security Officer)