MCC Daily Tribune

Social Engineering

A common misconception people have about cyber attackers is that they only use advanced hacking tools and technology to break into people's computers, accounts and mobile devices. This is not true. Social engineering is the art of manipulating people so they give up confidential information. Criminals use social engineering tactics because it is usually easier to fool someone into giving you confidential information, such as a password, than it is for them to hack the password.

We are the weakest link in the cybersecurity chain. It doesn't matter how much technology is in place to protect information if a person just hands over their password in a phishing email request. You need to know who to trust, what to trust, and when to trust a website. In order to protect yourself and your organization you need to learn how to tell if an email or website is legitimate or simply a way to gather confidential information.

Detecting / Stopping Social Engineering Attacks

The simplest way to defend against social engineering attacks is to use common sense. If something seems suspicious or does not feel right, it may be an attack. Some common indicators of a social engineering attack include:

  • Someone creating a tremendous sense of urgency. If you feel like you are under pressure to make a very quick decision, be suspicious.
  • Someone asking for information they should not have access to or should already know.
  • Something too good to be true. A common example is you are notified you won the lottery, even though you never even entered it.

You can protect yourself by following some simple guidelines.

  • Never share passwords. MCC will never contact you via phone or email and ask for your password.
  • Don't share too much. The more an attacker knows about you, the easier it is for them to find and mislead you into doing what they want. Even sharing small details about yourself over time can be put together to create a complete picture of you. Criminals examine posts on social media sites, product reviews, public forums and email lists to learn about a person. The less you share publicly the less likely you will be attacked.
  • Verify contacts. At times, you may be called by your bank, credit card company, mobile service provider or other organizations for legitimate reasons. If you have any doubt as to whether a request for information is legitimate, ask the person for their name and extension number. Then find the company's phone number from a trusted source, such as the number on the back of your credit card, the number on your bank statement or perhaps the number on the company's website. (Be sure you type the URL in your browser yourself.) This way, when you call the organization, you know you are really talking to them. Though it seems like a hassle, safeguarding your identity and personal information is well worth the additional step.

Social engineering attacks happen by phone calls and with almost any technology, including phishing attacks via email, text messaging, Facebook messaging, Twitter posts or online chats. The key to protecting your information is to know what to look out for.

For more cybersecurity awareness tips, please see the Cybersecurity Awareness Training located at, "TECH" Tab under the "Technology Links".

Pogroszewski, Donna
Chief Information Security Officer