Cybersecurity Tutorial

Social Engineering

Another significant threat we all face as computer users is social engineering. Social Engineering is the broad term used to describe several techniques used to deceive people into giving up critical information or access to their computer. Social Engineering methods include:

• Emails or web links that ask for passwords, Social Security Numbers, credit card numbers or other information. (known as "phishing" scams).
• Email attachments that install "trojan horse" programs onto your computer.
• Scam emails that ask you to send money (usually with some offer of significant return on investment.)
• Unexpected CDs or floppy disks given or sent to you that contain programs designed to infiltrate your computer.

These scams are designed to look as legitimate as possible, often using the names of well-known companies or organizations and compelling "stories" in their deception. Here are some general guidelines to avoid being caught like a "phish".

• Don't open attachments you aren't expecting! If you have any doubt, don't click! If in doubt, send your inquiry to security@nersc.gov or call 800 66-NERSC.
• Knowing the sender of an email is not proof that the email is legitimate. The name of the sender is often forged into the email. If you get unexpected email from someone you know and the content seems out of character, contact them to see if it is real.
• If you get a warning about a new virus that doesn't come from a trusted NERSC source, don't forward it --- it's almost certainly a hoax. Report the incident to security@NERSC.gov or call 800 66-NERSC.
• Don't fall for phishing! NERSC will never ask you for your password via email or on the phone --- neither will any other reputable company. Always look at the URL of the link in the email, make sure it directs you to the site you expect.
• Don't use "free" CDs or other media, including USB memory sticks, unless you are sure they came from a legitimate source. Remember, many computers 'autorun' CDs and USB memory sticks, so even putting a CD or USB stick into the computer can spread an infection.
• Be cautious when using computers that are not your own. Every machine you enter your password on is a potential means by which your password will be stolen. Be especially aware of using shared-use computers in places like university computer labs, cyber cafes, conferences, and hotels. If you have any doubt, change your password when you return or refrain from entering it on untrusted systems.
• Avoid connecting to unknown, unsecured public wifi. Attackers set up wifi access points in order to get unsuspecting victims to connect, where the attacker can then gather all the information that is being sent over the network or redirect you to malicious websites.

Some examples of sophisticated social engineering techniques that have been directed at DOE labs include:

• CDs sent by mail that contained the DOE logo and promised information about DOE Policies and Procedures --- and actually contained sophisticated malicious code.
• PDF files that appeared to come from site publications offering the chance to be featured in a site newsletter. They actually exploited an Acrobat vulnerability.
• Attempts to gain password information by contacting employees by email or by phone and pretending to be local help desk personnel.

If you ever suspect that you have been targeted by an attack like this, immediately report it to Security@NERSC.gov or call 800 66-NERSC. Err on the side of caution. If you're ever in doubt about the authenticity of anything you receive and you can't just safely delete it, then ask for help.