MUST READ: How to Prevent Social Engineering (Internet Scamming) Attack

We tried to educate you about Social Engineering in Part One of this series, but you will learn how to prevent Social Engineering attack in this Second part of the series. Before we proceed, let me ask the question again....

What is Social Engineering?

Instead of attacking a computer, Social Engineering is the act of interacting and manipulating people to obtain important/sensitive information or perform an act that is latently harmful. To be blunt, it is hacking a person instead of a computer. 

A social engineer can the use the phone, the internet, or even show up in person to perform the malicious act. They can be after data such as ID number, username, password, server names, machine names, remote connection settings, schedules, credit card numbers, etc. They may also try to get someone to install some malicious software, visit an unscrupulous website, or even access unauthorized locations.

What can I do?
Be educated, aware, and a little bit paranoid.
Never give out

• usernames; Administrators should know it or can find out themselves
• passwords; Administrators can ask your to enter it into the computer, but don't tell anyone
• ID numbers
• PIN numbers
• server names
• system information
• credit card numbers
• schedules
• Sensitive Data
• etc.

Be aware of what is being asked

Via The Phone
• ask for a full and correct spelling of their name, a call back number, and why they need the information
• have them contact the correct information source directly if asked for information managed by someone else
• when in doubt, put the caller on hold or tell them you will call them back. This gives you time to log any strange calls and verify if it is ok to give out information.

Via The Internet
• watch for any attachments that someone wants you to run in an e-mail
• avoid any requests to enter account information for verification by following a link in the e-mail (this is known as phishing)
• administrators will never tell you passwords over e-mail
• e-mails from SEASnet will be in plain text without attachments unless you asked for the attachment
• SEASnet may give you password guidelines, but never tell you to change it to something specific like "abcde"
• when in doubt, you can also contact the e-mail sender in a phone call or new e-mail and ask if their e-mail with the subject of <copy the subject> was valid
In Person
• never be pressured to comply when someone says "Do you know who I am?"
• ask for a contact to verify the person's need for information
• have someone asking for configuration/access questions to contact the source directly
• someone from SEASnet should only need you to enter your username/password on the computer; not write it down or verbally say it
• always be aware of people around you when entering your username/password
• when in doubt, contact SEASnet or your supervisor

Other
• shred and secure any documents that someone can obtain by looking through your trash
Always: when in doubt, ask the person to wait while you verify (a) identity, (b) need to know, and (c) if you are the rightful/authorized source of the information.