…it might not be a duck.
Your adversary isn’t going to be honest about who they are or what they’re after. If they were, they wouldn’t be in business for very long! Instead, they’re often going to pretend to be something you trust or expect.
- Be wary when receiving unsolicited phone calls, emails, or visits, especially if the person contacting you is asking for information you wouldn’t reveal to a stranger. Verify their identity before giving them anything
- Don’t give out personal information about employees or non-public information about your company. Both are common targets for corporate spies or competitors
- Don’t respond to emails asking for financial information or prompting you to log in, and don’t trust links in emails. If you feel the email may be legitimate, contact the sender using their public contact information to confirm
- Make sure that websites are secure before sending any sensitive information. Whenever possible, encrypt it first
- Double-check the URL before submitting information via the web. There’s a big difference between www.yourbank.com and www.yourbank.co.
- Keep your antivirus and antimalware software up-to-date. Install and use a firewall
Social engineers rely on the mental shortcuts that we tend to form. We see someone with a clipboard, and we assume they’re here on official business. We get an email or phone call with very dire warnings (“The IRS is going to have me arrested??”), and we naturally want to solve those problems as quickly as possible.
Whenever someone seems to want you to feel or act a certain way, especially when it’s with a sense of urgency, stop and think about what they’re actually trying to get you to do. When you do that, you break the social engineer’s script and are less likely to fall victim to their techniques.