It’s important to understand how most attacks are formulated and executed. When we look at social engineering attacks, they pull on emotions. When your users receive a phishing email, it’s never a polite, chilled out email that asks you to reply whenever you get a chance. No, it’s something designed to instill fear, convey a sense of urgency or maybe appeal to curiosity or greed.
The old tailgating trick of tricking your users into holding doors open for them because they are holding two cups of coffee and relies on appealing to the empathy we feel towards others. Ultimately, cybercriminals are relying on manipulating the inherent humanity within us. So, the answer is therefore simple. Show less empathy, care less about others, don’t make other people’s issues your concern… in other words, just be rude. I know this is a tough concept, we’ve spent most of our lives trying to be nice to each other. But these are bad people.
Now, I’m not talking about you throwing your phone at a personal assistant because they bought you coffee with the wrong kind of milk in it. I mean following processes without letting emotions get in the way. So, let’s consider the following scenarios:
1. Someone senior in the company emails you frantically asking for help and they need you to authorize a payment to a new partner to close a deal worth millions. Of course, the nice thing is to be a team player and help them out. We’re all team players, after all.
2. Your grandchild calls or sends an email that they have been wrongfully arrested, are in jail (usually in a foreign country) and they need you to wire them money for bail or to get home.
2. You receive a serious call from Microsoft, Apple, or AOL that your computer has some issue that needs to be immediately resolved. They ask you to download software, or worse still, hand over your password. You wouldn’t want to be the cause of installing a virus on your own computer? None of these major companies will ever call you unsolicited. They will swear up and down that they really are from Microsoft, or HP, or Dell, but they aren’t. Now if you called Apple for support, and filled out the form for them to call you back, that’s a different kettle of fish. Those calls are legitimate, but only if you’ve contacted them and asked them to call you back.
I’m sure you see the problem here in these somewhat simplified examples. If you and your users follow your instincts and were a nice person, you would potentially fall victim to a social engineering attack. But on the other hand, if you went full grumpy old man rude, akin to Clint Eastwood, you’d be slamming doors in the faces of people, deleting important emails, or causing your organization’s network to shut down.
So clearly, the answer lies somewhere between being sweet as apple pie and rude as Clint.
This is what I like to call the “gangsta gran zone”. It’s like your gran, a sweet lady, full of love and empathy, but one who doesn’t suffer fools.
So the advice is simple — be as rude as you need to be. If we revisit our scenarios, call back that senior person in the company, and confirm the request.
Your grandchild calls for money, call their parents, and let them know. Don’t wire money to anyone.
For the call from that major corporation about your computer, I’d go full Clint Eastwood on them and be as rude as you want. At the very least, just hang up on them, you won’t offend them, they’re used to it. They scam people for a living.
If it wasn’t already obvious, the examples listed are meant to be tongue in cheek but it’s important to remember cybercriminals are not nice, and they will stop at nothing to get what they want. Follow correct procedure and safeguard your own actions and the organization overall. It’s not that you want to be awkward, or deliberately rude, but you need to find that balance so it’s less likely that someone will be able to take advantage of your kindness and willingness to help.