Most information security threats arise from technical flaws like an unsecured website or a weak password. However, some criminals rely on a much more widespread weakness—human psychology. Using simple methods, they play to our impulses and best intentions to gain access to even the most secure buildings, systems, and information. These methods are collectively called social engineering.
How It Works
With a phone call
Scams like the classic "We're calling you from the IRS" shtick are well-known and easily ignored. In more recent cases, however, scammers specifically target (for example) low-level employees with a phone number obtained online. In an umprompted phone call, they pretend to be a trusted authority or a fellow employee and wheedle their way to information that was supposed to be secure.
With an email or website
A criminal crafts an email or a website that looks just like one from a legitimate organization like a bank or a subscription service. They want you to click on a link and download something malicious or input your personal information or login credentials. This is called phishing and you can learn all about it here (rest assured―it's safe to click on links in this website).
With a text
What can be done with an email or website can also be done with a simple SMS text. A typical example looks like, "Follow this link to confirm your [organization] account" with a hyperlink. When a text like this comes unprompted, it's probably a scam.
Even in this modern day and age, criminals can get access to secure locations simply by playing dress-up. Imagine you're walking through the door into the building where you work, and a person in a professional uniform carrying a stack of boxes comes up behind you. What do you do? You hold the door, of course, like any decent person. And now a stranger has slipped into your organization virtually unnoticed.
How to Avoid It
- With almost all cases of social engineering there's an element of impersonation. If you are ever contacted in an irregular way by someone who you can't personally identify on the spot (as in, face-to-face), try to verify their identity. Be curious and cautious.
- In the workplace, carefully follow all security protocols. Be familiar with your organization's policies about sharing data and contact information. If you ever have questions or concerns, notify your manager before moving forward.
- Be suspicious of unprompted emails, texts, or phone calls. Hover over links to see where they go before clicking (press and hold on a phone). If in doubt, type in the URL yourself. Don't share personal information over the phone, and be cautious with caller ID―scammers can often spoof it.