A list of 7 tricks that criminals use on your employees in order to hack your company’s network and steal your customers’ data.

By Mark Leary

You are the first line of defense to an attack of sensitive information on your company’s network. Our acceptance of authority, willingness to help others, and the need to believe most people are good make us easy targets for social engineers. Here are 7 social engineering techniques and terms that you should be aware of.

For people (like me) whose job descriptions include securing the information on your company’s computer networks, think about sharing this information with everyone in your company. (Such as a regular company-wide email that includes tips and techniques that people can use every day.)

Phishing is the most common form of social engineering. Phishing scams use fraudulent e-mail messages, Web sites, or phone calls to fool you into divulging personal information. Phishing e-mail messages often include misspellings, poor use of grammar, threats, and exaggerations.

“Within the next two to three years, many people will have their own public key certificate that can be used for everything from identity to electronic signatures.”- Mark Leary, vice president and chief information security officer for Xerox.

Mark Leary, vice president and chief information security officer for Xerox.

Spear phishers send e-mail messages that look like they comes from your employer or from a colleague who might send an e-mail message to everyone in the company, such as the head of Human Resources or IT. The email may ask for user names or passwords, or ask you to log into a bogus page or click on a link that will download spyware or other malicious programming.

E-mail hoaxes come in many different forms, ranging from a scam that requests your help getting money out of a foreign country (often Nigeria) to a promise that you’ve won the lottery. The common element is that you’re usually promised a large sum of money for little to no effort on your part.

IVR or phone phishing is a technique that uses a rogue interactive voice response (IVR) system to recreate a legitimate-sounding copy of a bank or other institution’s IVR system. The victim is prompted (typically via e-mail) to call the “bank” via a (ideally toll free) number in order to “verify” information. A typical system will reject log-ins continually, ensuring the victim enters PINs or passwords multiple times, often disclosing several different passwords.

Baiting is a scam where the attacker creates a legitimate looking compact disk and writes “Executive Salary Summary” on the label and drops it on the floor somewhere within a targeted company. The attacker hopes a curious employee will insert the disk into a computer giving the attacker access to the victim’s PC and the internal computer network.

Quid pro quo means something for something. An attacker calls random phone numbers at a company claiming to be calling back from technical support. The attacker will “help” solve a problem and in the process have the user type commands that give the attacker the ability to launch malware.

Tailgating is where the attacker is seeking entry to a restricted area where access is enabled, electronically access control, e.g. by RFID card. The attacker simply walks closely behind a person who has legitimate access. Following common courtesy, the legitimate person will usually hold the door open for the next person seeking access. The legitimate person may fail to ask for identification for any of several reasons, or may accept that the attacker has forgotten or lost their appropriate identity token.

Links to More Information
Microsoft Safety & Security Center: Practical security tips for you and your family, useful resources and links, and a forum for you to provide feedback and ask security-related questions.

StaySafeOnline.org: From the National Cyber Security Alliance, which seeks to educate a digital society to use the Internet safely and securely at home, work and school.

Stop. Think. Connect: A national public awareness campaign sponsored by the U.S. Department of Homeland Security. The campaign seeks to help the American public understand cyber threats, and empower the public to be safer and more secure online.

Other Articles from Mark Leary
12 Tips to Secure your Credit Card: While it’s impossible to guarantee you won’t be the victim of credit card fraud, you can protect yourself. Here are 12 smart ways you can secure your credit card information and purchases.

Has Your Credit Card Been Compromised? Your 3-Item Checklist: 3 things you should do immediately if your credit card is compromised.

Mobile Shoppers at Great Risk: 4 Things You Need to Know: The biggest threat mobile consumers face may be the phone they carry in their pockets.

5 Ways to Manage Passwords in a Post-Heartbleed World: Solution: Unique, complex passwords that are changed often. A look at digital password managers to securely store your codes.