An Important Message from Global Security: Social Engineering Security Alert
Dear Colleagues –
Social engineering has become a very visible, and global, security threat. Social engineering is the act of influencing or manipulating someone to provide sensitive information, including, but not limited to usernames, passwords, phone numbers and corporate data such as current research project information or corporate strategy efforts.
Some of *Company*'s employees, distributors and customers globally have been targeted in several very active social engineering attacks within the last week. It is imperative that we understand what social engineering is, how it can impact our business and how to Secure *Company*.
Among the most common methods of social engineering are telephone calls, where the attacker portrays some service such as tech support, another employee or some official, and phishing, a targeted fraudulent email that appears to come from a legitimate source and requests information (credit card numbers, account information, etc.) or an action (clicking on a specific link, etc.), warning of some dire consequence if the information is not provided.
Should you receive a telephone call or email from someone you don't know claiming to be a *Company* employee or contractor asking for company information or proprietary data (e.g., details or contact info about individuals, etc.), asking you to perform duties on their behalf or inquiring about job duties/descriptions, please do not comply with the request.
Instead, if you receive these types of communications, ask yourself the following questions:
·Can you verify the telephone number or name of this person in Active Directory or in email? Have the caller spell out his/her name and obtain a call back number. Is the country code correct for the location they claim to be from?
·Is the email a legitimate *Company* email address? Most scams will misspell *Company*, or the email address format will be incorrect.
·Does the caller sound like the name they are impersonating? Are they using correct terminology?
·Is the caller aggressive or expressing an undue sense of urgency if you question them or are non-compliant? Remember that social engineering is a ruse. Verify details and requests before doing anything.
If you are suspicious, write down everything the caller is asking for – have him/her repeat it several times or send it to you in an email to ensure that you are getting all the details correct. Then confirm with a separate email or telephone call to the *Company* employee. If you cannot reach the person, look up his/her manager and contact him/her for verification or contact Global Security
Report all such attempts for phishing or social engineering to *Company*’s Global Security department at xxxxxx.More information, including more social engineering resources is also available on the Global Security xxxx website.
Thanks your all of your help and cooperation.
__________________
The Principle of Least Interest: He who cares least about a relationship, controls it.
Most (but not all) of the phishing e-mails wind up in my Junk mail. When I get one purporting to be from my bank, I just forward it to the "real" bank. I also get them from "credit cards" that I don't have - I just delete them.
