The Threat That Tech Can’t Stop
Your phone rings at work. The caller says he is from your IT helpdesk, and they need some information from you to wrap up a project that affects you. He asks for some information, and it seems legitimate enough, so you give it to him. Believe it or not, you’ve just fallen victim to a type of cybercrime called social engineering, also known as the “low-tech hack.”
Social engineering is the art of manipulating people to get confidential information. It is a method of gaining access to company resources such as premises, systems, or resources through low-tech means. Relying almost entirely upon human interaction, hackers often prey on peoples’ “fear of offending” to get the information they want.
Social engineering usually involves soliciting seemingly trivial information which, when combined with other information, will allow an attacker to:
- Bypass normal processes, procedures and security controls
- Convince employees to not follow normal security procedures
- Trick people “in the know” into divulging information they did not intend to share
- We see activity like this happening to our Partners more and more frequently.
How They Do It
When hackers reach out, they might:
- Ask a question (in-person or on the phone) like:
“I am with the helpdesk and need to remotely access your computer."
“I am a traveling user and need a password reset.”
“I am with the helpdesk need you to reset your password.”
- Urgently ask for your help
- Send an email that appears to be from a friend or colleague asking you to click a link, download an image, video, etc.
- Request to access your computer remotely for support reasons
- Request you donate to a charitable cause
- Act like they are responding to a “support request” that you never made
- Drop a flash drive or CD in the parking lot, lobby or other area on-premises hoping you insert it in your computer to “check it”
These attacks can take any shape or form, limited only by the hacker’s imaginations.
However, there are several simple steps to avoid becoming a victim of social engineering:
Slow down. It’s highly urgent or uses high-pressure tactics, be skeptical. Someone else’s urgency doesn’t constitute an emergency for you.
Research the facts. Be suspicious of messages from people you don’t know. If the company is new to you, Google them first.
Delete. Delete any and all requests for financial information or passwords in email. If you’re curious or concerned, contact the company directly through regularly promoted channels.
On the phone - ask. If they don’t mention their company name, ask for it. Ask them exactly what “support request” they are referring to. Ask them how they got your information. If you get vague answers, just hang up. If it’s an email, delete it.
To keep the upper hand on these low-tech hacks, requests like this should always be vetted before acting on the request.
What to Expect From C Spire Business
As a C Spire customer, you can count on consistency in our support of your IT needs.
Here are a few examples of what you can expect from us:
- When we call you, we will always give our personal name, and company name - C Spire Business. If something sounds off, call us back at 877.800.8898 and ask for us by the name provided to verify.
- You can always use the ticket number as a point of cross-reference.
- We will never ask for your username, password, or financial information via email.
- If you suspect you have received a social engineering call or email, we can offer analysis and feedback. Simply write or forward the details of the communication to us at CSB-Support@cspire.com