Social engineering is when a cyber criminal manipulates someone in order to obtain information about a business or its computer systems.
Cyber criminals use social engineering to gather the information they need to commit fraud or gain access to computer systems. They will seem earnest and respectable. They may even tell you that they have a legitimate connection to your business (for example, as a client or through another business) and offer "proof." Some will impersonate the government. They will often ask for information such as phone numbers or account information, or ask that you open emails with attachments or visit specific websites. Only later do victims realize that these claims were a confidence trick and that they have been manipulated.
These tactics are popular because they work. It is important for you to verify who people are before you give them any personal or business information.
Be aware. Protect your business and employees by advising employees to do the following:
- Be suspicious of any phone calls, visits or email messages from individuals asking about employees, their families and sensitive business matters. This should be reinforced as part of an ongoing security awareness program.
- Ask anyone making unusual inquiries to verify their identity with official documentation.
- When in doubt, ask a supervisor or a colleague for help.
- Follow email, social networking, browsing and other safe practices (as described throughout this guide), and always protect personal information online.
- Always report any suspicious activity, including social engineering attempts, to a supervisor. This is especially important if you think that your business has been compromised.
- If your business may have lost or revealed sensitive information as part of such an incident — or if there is a suspicious pattern of inquiries — determine what assets may be at risk and take action to further safeguard them. For example, if there is reason to believe your business banking information may have been obtained, contact your bank immediately and ask for assistance in protecting your accounts.
- Consider reporting the incident to the police.
- Contact the Canadian Anti-Fraud Centre and ask for advice or file a report.
A big part of cyber security involves being alert to things that seem to be "out of the ordinary."