Mary arrived early to get a head start on what she expected to be a long day, and was surprised to find her phone ringing. She picked it up and gave her name.
“Hi, this is Peter Sheppard. I’m with Arbuckle Support, the company that does tech support for your firm. We logged a couple of complaints over the weekend from people having problems with the computers there. I thought I could troubleshoot before everybody comes into work this morning. Are you having any problems with your computer connecting to the network?”
She told him she didn’t know yet. She turned her computer on and while it was booting, he explained what he wanted to do.
“I’d like to run a couple of tests with you” he said. “I’m able to see on my screen the keystrokes you type, and I want to make sure they’re going across the network correctly. so every time you type a stroke, I want you to tell me what it is, and I’ll see if the same letter or number is appearing here. Okay?”
With a nightmare visions of her computer not working and a frustrating day of not being able to get any work done, she was more than happy to have this man help her. After a few moments, she told him: ‘I have the login screen, and I’m going to type in my ID. I’m typing it in: M..A..R..Y..D..’
“Great so far” he said. “I’m seeing that here. Now, go ahead and type your password, but don’t tell me what is. You should never tell anybody your password, not even tech support. I’ll just see asterisks here – your password is protected so I can’t see it.”
None of this was but it made sense to Mary. And then he said “Let me know once your computer has started up”.
When she said it was running, he had her open two of her applications, and she reported that they launched “just fine.” Mary was relieved to see that everything seemed to be working.
Peter said: “I’m glad I could make sure you’ll be able to use your computer ok. And listen, we just installed an update that allows people to change their passwords. Would you be willing to take a couple of minutes with me so I can see if we got it working right?”
She was grateful for the help he had given her and readily agreed. Peter talked her through the steps of launching her application that allows a user to change passwords, a standard element of the Windows 2000 operating system. “Go ahead and enter your password” he told her.
“But remember not to say it loud.” When she had done that, Peter said “Just for this quick test, when it asks for your new password, enter “test123″. Then type it again in the verification box and click Enter.” He walked her through the process of disconnecting from the server. He told her to wait a couple of minutes, then connect again, this time trying to log on with her new password.
It worked like a charm, Peter seemed pleased, and talked her through changing it back to her original password once more cautioning her not to say it out loud. “Well Mary” Peter said “We didn’t find any trouble, and that’s great. I f any problems come up, just ring us at Arbuckle. I’m usually on special projects but anyone here can help you.”
The above story is an example of a Social Engineering Attack. Social Engineering is the psychological manipulation of people into performing actions or divulging confidential information. The types of information these criminals are seeking can vary, but when individuals are targeted the criminals are usually trying to trick you into giving them your passwords or bank information, or access your computer to secretly install malicious software–that will give them access to your passwords and bank information as well as giving them control over your computer.
How to Avoid Social Engineering Attacks
1. Verify Identity
– By asking for ID badge number, verification code, secret code
2. Reject requests for help or offers of help.
– Legitimate companies and organizations do not contact you to provide help. If you did not specifically request assistance from the sender, consider any offer to ’help’ restore credit scores, refinance a home, answer your question, etc., a scam.
– Similarly, if you receive a request for help from a charity or organization that you do not have a relationship with, delete it. To give, seek out reputable charitable organizations on your own to avoid falling for a scam.
3. Don’t let a link in control of where you land.
– Stay in control by finding the website yourself using a search engine to be sure you land where you intend to land. Hovering over links in email will show the actual URL at the bottom, but a good fake can still steer you wrong.
To be continued
Culled from Webroot and Prof. Sasse