Skip to main content

Social Engineering

slideNumber:
a BYU employee holds the door open for a suspicious man carrying boxes

Most information security threats arise from technical flaws like an unsecured website or a weak password. However, some criminals rely on a much more widespread weakness—human psychology. Using simple methods, they play to our impulses and best intentions to gain access to even the most secure buildings, systems, and information. These methods are collectively called social engineering.

How It Works

With a phone call

Scams like the classic "We're calling you from the IRS" shtick are well-known and easily ignored. In more recent cases, however, scammers specifically target (for example) low-level employees with a phone number obtained online. In an umprompted phone call, they pretend to be a trusted authority or a fellow employee and wheedle their way to information that was supposed to be secure.

With an email or website

A criminal crafts an email or a website that looks just like one from a legitimate organization like a bank or a subscription service. They want you to click on a link and download something malicious or input your personal information or login credentials. This is called phishing and you can learn all about it here (rest assured―it's safe to click on links in this website).

With a text

What can be done with an email or website can also be done with a simple SMS text. A typical example looks like, "Follow this link to confirm your [organization] account" with a hyperlink. When a text like this comes unprompted, it's probably a scam.

In person

Even in this modern day and age, criminals can get access to secure locations simply by playing dress-up. Imagine you're walking through the door into the building where you work, and a person in a professional uniform carrying a stack of boxes comes up behind you. What do you do? You hold the door, of course, like any decent person. And now a stranger has slipped into your organization virtually unnoticed.

How to Avoid It

  1. With almost all cases of social engineering there's an element of impersonation. If you are ever contacted in an irregular way by someone who you can't personally identify on the spot (as in, face-to-face), try to verify their identity. Be curious and cautious.
  2. In the workplace, carefully follow all security protocols. Be familiar with your organization's policies about sharing data and contact information. If you ever have questions or concerns, notify your manager before moving forward.
  3. Be suspicious of unprompted emails, texts, or phone calls. Hover over links to see where they go before clicking (press and hold on a phone). If in doubt, type in the URL yourself. Don't share personal information over the phone, and be cautious with caller ID―scammers can often spoof it.

LEARN MORE

Learn about the different kinds of malware that exist, and how to prevent, detect and respond to them.
Learn how to change your password, how to create a security question, and how to create passwords that protect your account.
Learn general tips for keeping your physical devices protected from unauthorized access and other physical threats.
Learn why keeping the operating system on your devices up to date is actually a very important security precaution.
Learn how to protect yourself from being scammed, tricked, or hacked while surfing the web.
Learn what steps you can take to ensure that your social media accounts are protected.
Learn how to identify and avoid scam emails, texts, and more. Phishing scams steal personal info on a regular basis.
Learn how 2-Factor Authentication services like DUO protect your account from hackers and accidental access.
Learn the difference between secured and unsecured Wi-Fi networks and how to be safe when connecting to a wireless network.
Learn about different data storage options and consider which options are best for your needs.
Learn how to be healthy and secure while following shelter-in-place instructions