In today’s digital age, social engineering threats have become increasingly common and

sophisticated. These threats can manifest through the following five communication channels:

email, text messages, social media messaging, voice telephone calls, and face-to-face

encounters. The key to safeguarding yourself and your employer is to exercise caution and

healthy skepticism when someone you do not personally know reaches out to you through any one of these communication channels.

How to Protect Yourself: A Simplified Guide

Email: As email continues to be a common channel for social engineering phishing attacks, be

very cautious of unsolicited emails, especially those asking you to perform a specific action like clicking on links or opening attachments. These links and/or attachments can contain malicious code.

Verification: If sent to you by a person, verify by telephone or text message with this sender

prior to trusting. If sent by an organization, go directly to the organization’s website to search

for this information instead of trusting any link or attachment contained in the body of the

email.

Text Messages: Just like emails, text messages can include malicious links and/or malicious

attachments. As they are increasingly being utilized for basic smishing attacks, it is imperative

to verify the identity of the sender prior to clicking on the link or opening the attachment.

Verification can be conducted by telephoning or emailing the sender. If allegedly sent by an

organization, go directly to the organization’s website to verify this information, and do not

click on the link or open the attachment received in the text message.

Social Media Messaging: This is the communication channel most preferred by sophisticated

threat actors for advanced spear phishing attacks. Threat actors create fake profiles to directly

target YOU. These profiles will incorporate commonalities thereby increasing the likelihood

that you will accept their connection request and welcome interaction with them. The danger

is when this “trusted” fake profile asks you to undertake an action. It may be clicking on a

malicious link or opening an attachment. The profile may ask you for sensitive information or

manipulate you into a romance or investment scam.

Verification: While it is strongly recommended to never accept a connection invitation from

someone you don’t know, it is imperative to verify the profile before undertaking any

requested action which could result in devastating consequences such as identity theft, financial fraud, or espionage. Verification can easily be accomplished by conducting Google searches on this individual as well as contacting individuals who are listed as mutual contacts. Unless verification can be accomplished, do not comply with anything being requested from you.

Telephone Calls: Often referred to as vishing, social engineers can pretend to be whomever

they want to obtain sensitive information and/or manipulate their targets to undertake a

specific act such as dispersing funds, resetting passwords, or providing access to secured areas (gated communities/restricted areas within a company, etc.). To add credibility, such vishers will frequently spoof the caller ID number seen by the receipt of the call. They are also increasingly cloning and utilizing the voice of a party known to you. More severe vishing cases have included fake kidnapping scenarios.

Verification: If requested by the caller to provide sensitive information and/or to undertake a

specific action, which if fraudulent, could result in dire consequences for you or your company,

STOP! First, verify that they are who they say they are. Request a callback number and/or that

they provide the instructions in writing. In the case of a kidnapping ransom demand, ensure

that your family has a plan in place to utilize a code word verifying that the emergency is in fact, legitimate.

Face-to-face: In-person interactions can also be used for social engineering. Be cautious of

strangers approaching you attempting to obtain sensitive information or asking that you

undertake a specific action.

Verification: Ask for identification or verification of the person’s affiliation if they claim to

represent an organization or authority.

Remember that the potential danger lies in unsolicited requests for action or information.

Always prioritize “verification before trust.” It’s essential to remain vigilant and exercise

caution, regardless of the communication channel. By following these simple steps, you can

protect yourself and loved ones from falling victim to social engineering threats and maintain

your personal security in an increasingly interconnected world.

Security is not convenient, but neither is becoming a victim. The choice is in your hands.

About the Counterintelligence Institute

Founded by former CIA senior intelligence officer Peter Warmka, the Counterintelligence Institute’s mission is to assist your corporations, government offices, academic institutions and non-profit organizations in protecting your sensitive information and personal data records against security breach attempts. Our online and onsite training services focus on transforming the human factor from being the weakest link in security to becoming the most effective defensive tool against security threats against your company and personal life.