What you need to know about social engineering

Social engineering is basically any method or strategy used to manipulate people and deceive them into divulging personal information or offering access to accounts.

This is often related to your computer network’s security, company passwords, or personal identity.

Social engineers use what they know about you or about your company to gain your trust and access your information. Using clever techniques that make it appear as though they are contacting you from your bank, a coworker, an employee, or a vendor, they impersonate legitimate contacts to trick you into providing a password, answers to security questions, or other key data.

In the end, they steal your identity or access your accounts.

To keep these things from happening to you, you’ll have to become even more clever than they are.

Social engineering 101

Social Engineers can impersonate just about anyone, as long as it leads them to what they want. You’ll have to become more skeptical of any attempt to contact you about your accounts, company information, and secure data.

Here are a few examples of social engineering methods:

• “Banking” emails: A social engineer pretends to be your bank and sends you an email. The message appears to be an alert about a recent transaction on your account. If you click the link inside the message, it takes you to a portal asking for your username and password. Of course, it’s not really your financial institution–it’s just a fake site designed to trick you into providing your personal data.
• Fake calls from a business associate: Someone calls you and claims to be from your EHR vendor, a chiropractic supply company you work with, your landlord, or someone else you do business with. They say a few details to appear legitimate, then ask for you to confirm your social security number. If you do tell them your number, then the social engineer now has what they need to steal your identity.
• Scary text messages or voicemails: You receive a message from someone asking for help. Being the compassionate professional that you are, you quickly respond. Now the social engineer knows who you are and that your phone number works. They don’t, of course, actually need help from anyone–they just contacted a random number. But now they have the phone number and basic info of a real life target: your practice!

In truth, there’s an infinite number of schemes social engineers can use. They’re not limited to this list. That’s why you’ll need to be smart about stopping them from hurting your practice.

How to fight back

Develop a process to quickly determine if a contact is legitimate. From there, use common sense to catch social engineers before they can do real damage.

Follow these tips:

• Verify everything. If you get an email from your bank, see if it looks suspicious. Messages that ask for personal information the bank clearly already has are probably the work of social engineers. Double check that message from a vendor asking for your password and username.
• Find the real contact. Make sure that you’re communicating directly with the company or individual instead of with a scammer or social engineer. Look carefully at the web address in any link before you click or provide information. Better yet, don’t click links within emails that pertain to your business or financial data.
• Dispose properly of personal information, receipts, and other documents. Use your shredder. A social engineer might use information from your trash, so destroy it before you throw it away.
• Use two-factor authentication. This makes it more difficult for a social engineer to guess your answers or obtain a single piece of data and have enough actually access your account.
• Educate everyone. If you have employees or coworkers, make sure they are all educated in social engineering and know how to proactively prevent it.
• Use robust security online. Sometimes a social engineer will purchase your information online or find bits of data they can stitch together. With the right security, you make it more difficult for them to do extensive damage.
• Learn more about social engineering. By reading articles like this one and learning about how social engineering methods work, you can help yourself become much better at identifying scammers’ attempts at stealing your information.
• Practice frequent backups. Be ready if the worst happens and you lose your data or have to start over.
• Remove your online info from databases. Online sales lead databases and community listings are great for finding new patients, but scammers love these databases too. Remove your listings online or ask the database administrators to keep out information that’s too specific or personal. If you think a scammer could misuse a piece of information, then you’re probably better off removing it entirely from the Internet.
• Keep personal information secret. Don’t share your passwords, either.
• Monitor your accounts regularly. Check your credit score, business credit report, and other information for changes. Watch the transactions that hit your debit and credit accounts.

References

1. Pinola, M. “How can I protect against social engineering hacks?” Lifehacker. https://lifehacker.com/5933296/how-can-i-protect-against-hackers-who-use-sneaky-social-engineering-techniques-to-get-into-my-accounts. Published: August 2012. Accessed: November 2018.