Category: Compliance · 4 min read
Social Engineering: What it Means and How to Protect Yourself
on October 22, 2019
on October 22, 2019
Do you know what social engineering is? Social engineering is the act of deception to manipulate individuals into divulging confidential and/or personal information for fraudulent purposes. The level of complexity of a social engineering attack can vary. Understanding how it works and how you can prevent becoming a victim of one is crucial in protecting yourself and your clients’ information.
We’ve put together a list of a few of the most common forms of social engineering that you should be aware of. This is not an all-inclusive list, but it’s important to note that, no matter the technique, the intent is the same: to obtain confidential or personal information.
Phishing is likely the most common form of social engineering. It’s defined as the fraudulent practice of sending emails disguised as being from a trustworthy source to obtain personal information for malicious purposes. The scammer often impersonates a company, website, friend, or family member. The email generally includes a link and instructs you to click on it to get more information and/or enter personal information. Be wary of emails that:
- Have small mistakes (grammar, punctuation, etc.)
- Are from unknown email addresses
- Request private or confidential information
- Are intimidating or include the sense of urgency to act
- Include links to unknown sources or spoofed URLs and hyperlinks
Smishing (short for SMS phishing) is the exploitation of text messages. Generally, it involves a text message with a link to a webpage, email address, application, or phone number that directs you to click a link or download a document. Once the link is opened, there are instructions to enter personal information. This downloads a virus or other malware onto the mobile device that tracks the confidential information you type into the bogus app. Scammers rely on people’s assumption that their smartphone is more secure than a computer. Be wary of texts that:
- Are unexpected and/or come from an unknown source
- Include links to webpages or email addresses that are unfamiliar
- Urge a quick reply
- Ask you about your personal finances
Vishing is another popular form of social engineering that targets voice communications or the telephone network. You may receive a phone call from a spoofed number (changing the caller ID to a number other than the calling number). Using a number that appears to be legitimate, you can be lured into a false sense of security. The caller may also have acquired enough personal information from other sources to set you at ease. They may be able to validate an address, maiden name, or birthdate. Once this happens, it can be easy for a scammer to glean any additional information they want. You can help protect yourself by:
- Not trusting caller ID and being suspicious of any unknown caller
- Not providing any personal information
- Calling them back using a trusted number
Slow down. Taking your time to respond is one of the easiest preventative measures you can do. Scammers are banking on the fact that you’re going to rush through your email or texts or that you’ll feel a sense of urgency to rectify what seems to be a serious situation. They're hoping you won't take the time to ask additional questions to verify that what they're asking for is legitimate. Before clicking on any links or providing any information, stop and ask yourself if the request seems reasonable. Or, would this person normally request this information? If it seems unlikely, then it probably is.
Education is key. Defending yourself and your business is difficult when you don’t know what you’re defending yourself against. Social engineering attacks come in many forms and they are evolving and becoming more sophisticated all the time. Knowing the various methods and techniques and how they are used can help you form the framework for your defense.
Don’t get complacent. Social engineers know who they’re targeting. They use social media outlets like Facebook, Twitter, and LinkedIn to gather information that will provide them with the credibility they need to get you to disclose the data they want. Being cognizant of the information you release on these social media sites can help. Since many attacks involve references to financial institutions, know the policies of the companies you do business with and their primary means of contact.
It’s likely that you will be the victim of a social engineering attack at some point. Knowing what to do and acting immediately may be the best defense.
Social engineering casts a wide net. These examples are only a small sampling of how scammers are trying to obtain information. For more information on current scams, visit the Federal Trade Commission website.
For financial professional use only, not for use with the general public. #19-0676-101120
This information is intended for Financial Professionals who are insurance licensed only. If you are securities licensed, please contact your Broker Dealer for their requirements.
These educational pieces are intended to be informative and provide generalized guidance. They should not be construed as legal advice or provide protection against compliance violations brought on by a consumer or state insurance commission. It is the sole responsibility of the financial professional to seek compliance or legal direction specific to their individual situation. These pieces should be used to raise awareness and evaluate business practices.
Share This Post