In our previous post, we covered a variety of social engineering countermeasures to reduce your risk of falling victim to an attack. Regardless of how much you secure your environment, one or more of the defense strategies that you have in place may fail, compromising you and/or your organization. As the final installment of our social engineering prevention series, this post is intended to provide guidance for what to do if you suspect you have been victimized by a social engineering scam.
Social engineering victims generally fall into the following main categories:
- Social Engineering for Payment. Victims that fall for payment scams should immediately call their bank or credit card company to freeze their accounts as the first step.
- Social Engineering for Credentials. Victims that have had credentials stolen should immediately change their passwords for whichever account was compromised as the first step.
- Social Engineering to Install Malware. Victims that have downloaded a malicious file should immediately disconnect their machine from the internet to prevent any further spread.
Keep in mind that some of the steps listed below may not apply to every situation. This is intended to guide your next steps so instead of wasting valuable time panicking, worrying or wondering what to do and who to call, you will have an action plan to mitigate the damage.
Immediate Steps to Take for Social Engineering Victims
- If you suspect you have installed malicious software, immediately disconnect your machine, or the suspected infected machine(s), from the internet. This will prevent any further spread of the malware or theft of data. DO NOT power down as shutting down your network or powering down connected machines can result in a loss of valuable evidence. If you are on a company machine, contact your security team, help desk, or other IT resource. If you are on a personal machine, you will need to get a subscription to an Antivirus solution or re-image your system to ensure the malware is no longer present..
- Check your financial accounts for unauthorized transactions or unauthorized access. If you find anything suspicious, immediately call your bank or credit card company to report it.
- Change your passwords for ALL of your online accounts. Prioritize email, financial and any account that can access sensitive company information. If your company credentials have been compromised, notify your security team, help desk or any other internal resource that may need to assist with password changes. If you are not currently using Multi-Factor Authentication (MFA), make sure to enable that wherever it’s an option. When changing your passwords, be sure to follow good cyber hygiene practices and use unique, difficult to guess passwords for every one of your login accounts.
- Report the incident to your IT or security department and they should be able to provide further guidance. If you don’t have an IT or security department, reach out to local law enforcement for further direction or engage a professional cybersecurity company to guide your next steps.
- Survey the damage and, as much as possible, determine the extent of the damage in terms of who, and what systems, may be compromised.
- Isolate the compromised areas of the network as much as possible to limit further damage.
- Gather as much evidence as possible — screenshots, a malicious document, URLs, etc. — because it can be significant to a forensic investigation.
Report the Incident
If you are a victim of social engineering, engage local law enforcement first so they may investigate the incident and take appropriate action. Local law enforcement should also be able to provide the best guidance for what to do next, including other entities to which you must report the incident. If you are a foreign national, you may also contact your embassy or consulate for assistance in reporting cybercrime, or getting in touch with local law enforcement. Resources and laws pertaining to reporting cybercrime can vary greatly between different areas of the globe, but below is a list of different options that you may need to engage in addition to local law enforcement depending on the severity of the incident.
There are several international agencies to whom social engineering and other cybercrime incidents may need to be reported, including:
- Internet Crime Complaint Center (IC3) is run by the US FBI and accepts online complaints related to internet crimes, such as phishing scams, malware, ransomware, and online fraud, from victims in the United States and around the world.
- European Cybercrime Centre (EC3) EC3 is part of the European Union Agency for Law Enforcement Cooperation (Europol) to strengthen the law enforcement response to cybercrime in the EU, helping protect European citizens, businesses and governments from online crime.
- The United Nations Office on Drugs and Crime (UNODC) is a global organization that draws upon its specialized expertise on criminal justice systems response to provide technical assistance in capacity building, prevention and awareness raising, international cooperation, and data collection, research and analysis on cybercrime.
Identify and Notify Affected Parties
After you have reported the incident to the necessary agencies, you will need to begin the process of identifying and notifying affected parties as they will also be considered victims of the social engineering attack. Any time a cybercrime incident or a data breach puts an individual’s personal information at risk, you are required to notify them via letter, email, phone call, or in person — unless otherwise directed by law enforcement. Additionally, you will need to make sure that you contact the website or service provider involved in the incident to inform them of their involvement. Most websites — especially those most frequently impersonated in phishing or scams like PayPal, Amazon, DHL, etc., — will have a way to report suspicious activity.
Be a Hard Target
Though falling victim to a social engineering attack can be an incredibly painful way to learn a lesson, it’s a learning experience that highlights exactly where your weak spots may be. Use the opportunity to review everything related to how you secure your network from the security stack, to policies and practices, to training and education. After you identify your weakest links, close those security gaps by improving a technology solution, addressing education and training, following better cyber hygiene habits, or all of the above.