Social Engineering

Social engineering is a fraudulent technique used by attackers to manipulate individuals into divulging confidential information, providing access to systems, or performing actions that compromise security. These psychological techniques can be used over the phone in scams or through computers in cyber-crimes. As Influence describes, scammers are highly skilled and cunning when capitalizing on deeply ingrained motivations.

• Requests for sensitive information via email, phone, or social media
• Urgency or fear tactics to prompt immediate action
• Unsolicited messages with suspicious links or attachments
• Attempts by strangers to establish trust or familiarity to gain access
• Inconsistencies in communication or requests

• Verify requests for sensitive information through alternate channels
• Avoid clicking on links or downloading attachments from unknown sources
• Take security awareness training to understand new attack methods. 
• Use strong, unique passwords and enable multi-factor authentication. See Cybercrime Prevention.
• Keep software and security patches up to date. 

If you suspect you've fallen victim to a social engineering attack, take immediate action:

• Report the incident to local law enforcement, your security team or IT department.  See How to Report Fraud. 
• Change compromised passwords and revoke access as necessary
• Inform relevant parties, such as financial institutions, the attacker pretended to represent. 
• Conduct a security review to identify vulnerabilities and implement additional safeguards. 

References:

• Federal Bureau of Investigation (FBI). (2018). Protected Voices: Social Engineering. Retrieved from https://www.fbi.gov/video-repository/protected-voices-social-engineering-083018.mp4/view.
• Cisco. (2017 Oct 2). Anatomy of an Attack - Inside the mind of a hacker. Retrieved from https://youtu.be/j0EZpH_eIsY.
• Cybersecurity and Infrastructure Security Agency (CISA). (2021). Avoiding Social Engineering and Phishing Attacks. Retrieved from https://www.cisa.gov/news-events/news/avoiding-social-engineering-and-phishing-attacks.
• Lasi, M. (2023, December 14). "A former White House scientist was scammed out of $655,000. Then came the IRS." The Washington Post. https://www.washingtonpost.com/dc-md-va/2023/12/14/cyber-crime-scams-irs-taxes/.
• Proofpoint. (2023). TA4557 Targets Recruiters Directly via Email. Retrieved from https://www.proofpoint.com/us/blog/threat-insight/security-brief-ta4557-targets-recruiters-directly-email.
• Roose, K. (2016 May 1). Hacking Challenge at DEFCON. FUSION Media Group. Retrieved from https://youtu.be/fHhNWAKw0bY.
• Tobac, R. (2022 Sep 28). Inside the mind of an ethical hacker. Yubico. Retrieved from https://www.youtube.com/watch?v=UwPK_ietuxg.
• O'Sullivan, Donie, CNN. (2019 Oct 18). We asked a hacker to try and steal a CNN tech reporter's data. She got it in seconds. Retrieved from https://www.youtube.com/watch?v=LYilP-1TwMg.