If you have not already heard the term, take some time to take it in now: “Social Engineering” is not at all about designing a better society. It is the deliberate manipulation by malicious people, of the desire to help that is common among many individuals, essentially to trick them into revealing confidential information. Why should you be aware of this? Simple: if you don’t know it’s happening, you are likely to become a victim.
Say you receive a phone call from an unfamiliar number. The caller says they are a HelpDesk technician from — pick one: Microsoft, Your Internet Service Provider, Your Cell Phone Provider, the IRS, Your Bank, Amazon, Your Town Water Department, or the Electric Company.
They ask you for your full name, address, and zip code to verify your identity. Then before proceeding (or later) they ask for your credit card number, the code on the back “to verify it matches the one they have on file.” Right.
All along, they keep up a pleasant chatter: how’s the weather, if they hear a dog or cat they will ask for their name. How are the kids doing in school? How about the __ sports team in your town? The friendly approach can completely (and literally) disarm you into thinking you’re talking with a friend, not just some random stranger. It is easy to be lulled into a friendly and helpful attitude, because they have already earned your trust. A person who loves poodles can’t be bad, can they?
If the caller claims to be working for your employer (not that hard to find who you work for), they may ask you for your user account and password. “To make sure everything is working fine.” They’re actually HELPing you, see?
If you did not call them at a number you know to be correct, then this random caller is a complete stranger, and you must not tell them anything.
Now, replace “phone call” with “email” — emails that appear to come from legitimate sources (your credit card company), your friend, or even a family member. Forged emails are trivial to create and clever forgers create emails that look really really legit.
There are many things to watch out for, but the one most important red flag is this: you’re told this is urgent, and it is of financial or security significance, and you must ACT NOW. Putting the scare in you is a key part of the social engineering toolkit. The best action for you, is to ask for a “case number” or “incident” or “reference number”, and hang up. Call the phone number you know to be legitimate (like the one printed on the back of your credit card, or the one printed on your bank statement, or the Internal Revenue Service website) to ask what is going on.
Never give out your personal information to complete strangers, unless you want to play with them, and give them fake information for your own entertainment.
To learn more about how to protect yourself from malicious users of social engineering techniques, Chris Hadnagy’s website http://www.social-engineer.org/ which have podcasts, blog, and in-person training for those who are really serious about the topic. Here is a sample post from the blog which has a link to the FTC (Federal Trade Commission) Scam Alert page for consumers. You can quickly check if someone is trying to social engineer you with one of the “scams of the day”. You can even file a complaint with the FTC https://www.ftccomplaintassistant.gov .
A final word: it can be very depressing to see how badly people can behave, stealing from elderly and trusting people. Please, don’t dwell on the bad, or let horrible people get you down. Think of this kind of reading like taking out the stinky garbage, or flushing the toilet: it helps keep your home in order, sweep out the dirt, and when you’re done, leave it behind and do something happy and enjoyable with your life. Even if you were not planning to do so, show somebody a bit of kindness and pay some goodness forward. Really, smile and have a great day.