Best practices

• Understand common ploys and scams used by social engineers
• Always follow policies and procedures
• Verify information using official sources

Understand social engineering

Social engineering attacks are successful because criminals have figured out how to use our human nature against us. Attacks can occur through emails and text messages, in person, over the phone, on social media, and more. Someone launching a social engineering attack won't ask one person for the entire information they need. Instead, they will gather a lot of seemingly harmless information from many sources and use it to look legitimate.

Common social engineering attacks may include:

• Acting forgetful (e.g., “I forgot my key, can you let me in just once?”)
• Playing to your sense of compassion (e.g., “I need this information to complete my report, my boss is going to fire me if I don’t.”)
• Leveraging empathy (e.g., “Have you ever just not been able to catch a break? I just need someone to let me use their computer to print this form.”)
• Acting with authority (e.g., “The computer department sent me to install this software on your machine.”)
• Threatening you or others (e.g., “If you don’t send me the audit report, I’m going to tell your boss you wouldn’t help me.”)
• Offering an incentive or reward (e.g., “I’ll buy you a coffee if you help me out this one time.”)
• Phishing attacks are also a form of social engineering.

Enforce policies and procedures

Anyone with a legitimate claim to information should never be upset with you when you adhere to policies and procedures. If a situation makes you feel uncomfortable, defer to established policies and procedures when responding.

While there are a number of university policies to follow, generally, you should never share your password or enter your password for another person, leave your computer unlocked and unattended, allow someone entrance into buildings or rooms restricted by key or Marlok access, etc.

Verify with official sources of information

Someone launching a social engineering attack will often have conducted thorough research, collecting information from a number of sources to avoid suspicion, and will have fake resources created to help strengthen the attack.

For example, someone claiming to be a gas utility worker may set up a fake phone number and tell you to contact that number to verify their identity. Instead of relying on information given to you by someone you don’t know, locate the company’s legitimate phone number to verify the person’s claim.

Related Policies

• Acceptable use of Computing and Information Technology Resources Policy
• Password Policy
• Computer Security Policy