In today’s digital age, social engineering threats have become increasingly common and
sophisticated. These threats can manifest through the following five communication channels:
email, text messages, social media messaging, voice telephone calls, and face-to-face
encounters. The key to safeguarding yourself and your employer is to exercise caution and
healthy skepticism when someone you do not personally know reaches out to you through any one of these communication channels.
How to Protect Yourself: A Simplified Guide
Email: As email continues to be a common channel for social engineering phishing attacks, be
very cautious of unsolicited emails, especially those asking you to perform a specific action like clicking on links or opening attachments. These links and/or attachments can contain malicious code.
Verification: If sent to you by a person, verify by telephone or text message with this sender
prior to trusting. If sent by an organization, go directly to the organization’s website to search
for this information instead of trusting any link or attachment contained in the body of the
Text Messages: Just like emails, text messages can include malicious links and/or malicious
attachments. As they are increasingly being utilized for basic smishing attacks, it is imperative
to verify the identity of the sender prior to clicking on the link or opening the attachment.
Verification can be conducted by telephoning or emailing the sender. If allegedly sent by an
organization, go directly to the organization’s website to verify this information, and do not
click on the link or open the attachment received in the text message.
Social Media Messaging: This is the communication channel most preferred by sophisticated
threat actors for advanced spear phishing attacks. Threat actors create fake profiles to directly
target YOU. These profiles will incorporate commonalities thereby increasing the likelihood
that you will accept their connection request and welcome interaction with them. The danger
is when this “trusted” fake profile asks you to undertake an action. It may be clicking on a
malicious link or opening an attachment. The profile may ask you for sensitive information or
manipulate you into a romance or investment scam.
Verification: While it is strongly recommended to never accept a connection invitation from
someone you don’t know, it is imperative to verify the profile before undertaking any
requested action which could result in devastating consequences such as identity theft, financial fraud, or espionage. Verification can easily be accomplished by conducting Google searches on this individual as well as contacting individuals who are listed as mutual contacts. Unless verification can be accomplished, do not comply with anything being requested from you.
Telephone Calls: Often referred to as vishing, social engineers can pretend to be whomever
they want to obtain sensitive information and/or manipulate their targets to undertake a
specific act such as dispersing funds, resetting passwords, or providing access to secured areas (gated communities/restricted areas within a company, etc.). To add credibility, such vishers will frequently spoof the caller ID number seen by the receipt of the call. They are also increasingly cloning and utilizing the voice of a party known to you. More severe vishing cases have included fake kidnapping scenarios.
Verification: If requested by the caller to provide sensitive information and/or to undertake a
specific action, which if fraudulent, could result in dire consequences for you or your company,
STOP! First, verify that they are who they say they are. Request a callback number and/or that
they provide the instructions in writing. In the case of a kidnapping ransom demand, ensure
that your family has a plan in place to utilize a code word verifying that the emergency is in fact, legitimate.
Face-to-face: In-person interactions can also be used for social engineering. Be cautious of
strangers approaching you attempting to obtain sensitive information or asking that you
undertake a specific action.
Verification: Ask for identification or verification of the person’s affiliation if they claim to
represent an organization or authority.
Remember that the potential danger lies in unsolicited requests for action or information.
Always prioritize “verification before trust.” It’s essential to remain vigilant and exercise
caution, regardless of the communication channel. By following these simple steps, you can
protect yourself and loved ones from falling victim to social engineering threats and maintain
your personal security in an increasingly interconnected world.
Security is not convenient, but neither is becoming a victim. The choice is in your hands.
About the Counterintelligence Institute
Founded by former CIA senior intelligence officer Peter Warmka, the Counterintelligence Institute’s mission is to assist your corporations, government offices, academic institutions and non-profit organizations in protecting your sensitive information and personal data records against security breach attempts. Our online and onsite training services focus on transforming the human factor from being the weakest link in security to becoming the most effective defensive tool against security threats against your company and personal life.