Social engineering is the clever manipulation of people to gain access to privileged information. It can occur on the telephone, in person, or via email.
SHOULDER SURFING
Shoulder surfing refers to looking over someone's shoulder to obtain information. Be mindful of people nearby when working with sensitive business information. If you step away from your computer, lock it so that others can’t see or access confidential information.
Use a privacy screen to cover your laptop or tablet screen while in use. If you witness someone hovering, acknowledge the person to see what they need. Bring to your supervisor's attention if you are suspicious of their intentions.
TAILGATING
Tailgating is an unauthorized person attempting to gain access to secure office space. Be mindful of people entering behind you. Do not allow tailgating.
Refer anyone without a company badge to reception or security. If you feel threatened or notice suspicious behavior, report the incident to concerned department in your org. In the event of imminent harm, contact local emergency services.
EAVESDROPPING
Eavesdropping refers to secretly listening in on conversations to capture information. Be mindful of who is around when discussing or conducting company business. Do not discuss company business in hallways, shared building spaces, or public places.
Keep confidential discussions behind closed doors.
VISHING
Vishing (voice phishing) happens when you receive a phone call from someone impersonating a trusted source, like your bank, a client, or an employee. They may say there's a problem with your bank account, or credit card and direct you to a web site or phone number where you will be asked to provide personal or company information to verify your identity or account. Beware! They are trying to steal your money, identity, or gain access to organization systems. If you access the Vishing web site from your workstation or smart device, it's possible for hackers to access anything stored there.
Follow your policies and procedures; do not provide personal or payment information to unsolicited callers. Do not attempt to call the number back. Do not take direction from the caller about navigation or use of your tools and systems.
Do not disclose any information unless you are able to verify them, and they are authorized (e.g., if they state they're an employee try to reach them on IM). If you receive a call or a text you suspect to be vishing or smishing, contact spoof@majftech.com with as much information as is available.
SMISHING
Smishing happens when you receive a text message (SMS = smishing) from someone impersonating a trusted source, and the same threats apply as with Vishing.
Do not text scammers back. If you receive a call or a text you suspect to be vishing or smishing, contact spoof@majftech.com with as much information as is available.
PHISHING
Phishing is a form of social engineering in which a fraudulent message is sent to you with the intent of tricking you into opening an attachment, clicking a link, or responding to the message. Phishing typically occurs over email, but can happen during a phone call, through a chat program, in a text message, or even in-person!
Successful phishing attacks can steal your credentials (passwords), install malware on your computer, trick you into disclosing confidential company data, or convince you to take unauthorized actions that benefit the phisher. It is no surprise, that phishing is one of the most common attacks leading to data breaches you see in the news.cWith all the technological defenses in place to prevent phishing emails from landing in your inbox, it’s still one of our biggest security vulnerabilities! Our best resource in defending against phishing is YOU!
Learn the warning signs of such emails:
- Unexpected sender or content
- Threats, urgency, and secrecy
- Phishing or Spam?
- Promised lottery or super amazing deals
What to do If you think you have received a phishing email:
- DO NOT reply to the message.
- DO NOT click on links or open attachments.
- DO report the email by creating a new email message, attaching the phish email, and sending to spoof@majftech.com.
- DO NOT send or "forward" the phishing email to anyone as this can cause further exposure.
- DO permanently delete the phishing email.
- Does the message push for urgent action?
- Does the message threaten bad things will happen if you don't do what it says?
- Is it unusual to use email as authorization for wire transfer?