You‘re a nice person. I have faith in that. So do the people that I‘m telling you about.
Have you ever answered the phone to someone that doesn‘t know quite
who they want to talk to? They know the role and they offer a smattering
of names and you helpfully correct them?
“Your IT Manager? It's Steve, no John? We met at a trade show and I‘m
just trying to catch up with him over something we discussed about some
You, being a nice person, provide the name, the mobile phone number,
the e-mail address. Because you‘re being helpful. Then that person takes
that information and crafts a cunning Spear Phishing e-mail. They send
it around your company and it's suddenly from your IT manager. It's got
their name, it's from their E-mail address and it asks them to do
something terribly reasonable, considering the source it comes from.
It allows the criminals in where a normal, vague message with no suitable, identifying characteristics wouldn‘t fool anyone.
Countering Social Engineering
It's a terrible thing to have to say, but in the modern world to
truly protect yourself you have to start to trust less and question
more. While Social Engineering is a very insidious threat, there are
some basic steps you can take to defend yourself and others.
- Avoid sharing too much sensitive information on public websites.
Don‘t post anything you‘d ever use as a security question. Don‘t post
your full date of birth anywhere. Avoid linking yourself to other people
or events that can build a complete picture of your life in one place.
- Never trust phone calls you receive. If your bank, the police or
your phone company etc calls, tell them nothing of any sensitivity. They
never need to ask your passwords for anything. To be extra safe take
their name, hang up and call them back on a number you locate yourself
for the organisation, never use a number they provide. If you do that
from a land line make sure you hear a dial tone before dialling in case
they keep the line open and you end up on the same call without
- Never give out your own or someone else's personal details without
knowing exactly who is asking and why. It is never unacceptable to say
“Let me have your details and I‘ll pass you on to the person in
question.” If they don‘t know the name of the person they want, don‘t
offer it. If they were supposed to be talking to them, they‘d know.
- Implement two factor authentication for everything you can in your
life. There are many free solutions to achieve this in most cases and
it means that someone has to steal a physical item as well as just
information before they can infiltrate your accounts.
- Realise that you have a part to play in your own security and that
of others. Be mindful, never let anyone rush you in any conversation
about anything sensitive. If you feel you are being asked anything too
personal, politely and firmly refuse. Criminals like easy targets. When
you defend yourself they will look for easier targets.
- Use common sense but don‘t be afraid to bounce your worries off of
someone else. If a caller pushes and you are concerned, put them on
hold and run through the conversation with a colleague; you may find
that even expressing it gives you your answer. Most people without
legitimate cause will hang up if they think you are growing suspicious
and put them on hold. It's a good sign you were right.
- Never select passwords that are anything to do with your personal
life at all. Make them random, or even better use a password manager
that automatically generates new passwords, with a decent integrated
system you don‘t even need to know the password yourself so you can
never accidentally give it up.