Protecting against social engineering as important as ever


A report on Ars Technica about scammers masquerading as support folks underscores the effectiveness of social engineering in breaking into computer systems. You can read more about what took place here, though what struck me was the totally brazen manner in which the lies were made by the scammer.

When faced with tricksters exuding total confidence, it is no wonder that employees succumb to following these instructions that allow their computers to become compromised. In that vein, I outline a couple of often repeated tips that can form an effective defense against social engineering.

IT will never ask for passwords

It is important to tell users that the IT department will never, ever ask for passwords. Indeed, the level of harm that a compromised password can result in--including often undetected break-ins, such as unauthorized access of email accounts and VPN accounts--means that this bears repeating. In addition, it is crucial that the IT department help reaffirm this fact by regularly repeating that they never ask for passwords.

If in doubt, check with IT

It is always a good idea for users to check with IT when faced with an unfamiliar situation or request from someone on the phone. Obviously, a good scammer will try their best not to allow an employee the breathing room needed to seek a second opinion. As such, it helps if the IT staffers are seen as friendly and helpful, rather than as dismissive of their problems.

I would love to hear of strategies and policies enacted in your organization to combat social engineering. Feel free to send me an email, a tweet, or just leave a note in the comment section below. - Paul Mah  (Twitter @paulmah)