Social Engineering: Awareness is Step 1

October 04, 2016 by Alex Collins, IT Services Consultant

Password on screen

Social Engineering is a phrase that gets discussed frequently in the technology space, but for far too long, the feeling that is just a 'buzzword' has prevented it from getting the awareness it deserves. The first step in changing this is demystifying the phrase. Social Engineering is, simply put, a way for your cyber security to be breached without any technical hack or data breach taking place. Even more simply put: Social Engineering is a modern day con.

In February 2016, journalist Kevin Roose hired a team of social engineers to attempt to hack into his accounts. After completing some research on Roose, social engineers at Social Engineer, Inc were able to hack into his cell phone account within two minutes. So how can this sort of new, innovative hack be prevented? Cyber Security and Digital Forensics Examiner recommends that companies "Train users with an effective training program... [and] back up just in case and regularly test those backups to make sure they work."

Along with training and backup, there are several other common sense steps to take in avoiding a social engineering hack:


  1. Use two-factor authentication, when possible. This security protocol is being implemented by more and more technology providers, and requires you to enter a verification code after
    entering your password. Despite 2FA being part of the answer, it should be noted that hackers have used social engineering to bypass two-factor authentication.

  2. Never give your password to anyone! This is repeated ad-nauseam, but it's surprising that up to 34% of people would give away their password if simply asked. This also goes for two-factor authentication codes - no company should ever ask you to give them your 2FA code through text, phone, email, or other medium.

  3. Ask providers/vendors to add an extra layer of security. Companies such as AT&T, Comcast, and others will happily add an extra layer of security (often a social security number) if you call and ask.

  4. Consider everything. Hackers are going to succeed when you don't stop to think - is that email really valid? Does that domain look real? Why am I being asked for my private and secure information? If there is ever a doubt, simply pick up the phone and call the company to ask.


While these steps can help, there is still a need for companies to remain proactive in educating their users and maintaining effective backup and recovery solutions. If your company is considering extra measures to keep your infrastructure secure, contact us at All Covered.