So, what can you do? Well, the simple answer is slow down. Most social engineering tries to create a sense of urgency. One is lead to believe that time is of the essence, and a speedy action is required. One is also often advised to keep the information secret, that s/he is special and the information is just for him/her. Therefore, slow down, contemplate if it is reasonable for the organisation that is purported as having sent it would normally communicate in this fashion. In our current situation, is it reasonable to expect that the Centers for Disease Control in the US, or Heath Canada, would send a private message to the citizens of that country? How is the spelling and grammar in the message? Phishing campaigns are famously poorly written. Writing is quickly becoming a lost art, so a poorly written email is not an absolute indication of phishing, but it is a partial red flag. Ask a friend. Sometimes just the act of telling someone about the message will help you realise how "off" it sounds. When in doubt, go directly to the source. Do a Google search for the organisation in question, and see if any such information is on their website. If it supposedly came from a contact of yours, call the contact. Did s/he send it? Finally, simply ignore it. If things get bad enough, you'll hear about it from multiple sources.
As a parting note, a good source for social engineering inoculation is the Hacking Humans podcast. Each week, the hosts share stories of attempted social engineering and conduct an interview with an industry expert to help make you aware of the various forms of social engineering. It's a lighthearted show that is not too technical for the average person.
No comments:
Post a Comment