e-Book

SOCIAL
ENGINEERING
To many people the term social engineering is an
unfamiliar one.

A social engineer is a person that will deceive or con

others into divulging information that they wouldn’t
normally share. It is one of the most commonly used
methods of hacking.
Instinct and trust:

It’s not easy. It could have been almost any one of

them using a disguise to gain your trust in some
manner.

One of the main things a social engineer counts on is

our natural instinct as humans to be helpful to others.
They will attempt to build a trusting relationship with
their subject (even if only for a moment) and then
break that trust by using the information they have
obtained for wrong-doing.

Defending against a social engineering attempt is not easy.

Usually you won’t know when it occurs until it is too late. But
there are a few things you can do that might help.

Social Engineering
1
Social
Engineering
Defense
In Person:
1. Ask for some identification.
2. Ask who has authorized this request so
you may verify the authorization.
3. If you are not authorized to provide
that information, offer to locate the
correct person.
4. Seek assistance if you are unsure.
2
If someone phones or appears and
asks you for information that you
know is confidential company,
client or personal information,
don’t be afraid to ask them a few
questions yourself.
By phone:
Ask for the correct spelling of
the caller's name.
Ask for a number where you
can return the call.
Ask why the information is
needed.
Ask who has authorized the
request and let the caller
know that you will verify the
authorization.
 3
Phishing

A new form of social engineering using e-mail is called "phishing." The term phishing refers to e-mail
messages that are sent as bait in an attempt to fool the recipient into providing personal or private
information. Usually the information requested would be sufficient to obtain access to the person's
financial accounts or to open new accounts under fraudulent pretenses.

The messages are cleverly disguised to look as though they originated from the official source. They
may ask you to "verify your account information", "update your account profile", or some other tactic
to get you to enter confidential information. Any information you enter, may be used for illegitimate
purposes such as monetary withdrawals, fraudulent purchases, or further identity theft.

The sender's of these types of messages are clever and constantly look for new ways to make the
messages look genuine and official. Don't take the bait! Any reputable and secure organization would
not send you an e-mail requesting your account information. They already have it and will probably
never ask you to update your information in this manner. They will not ask for your account number,
social security number, driver's license, mother's maiden name or other confidential information
through a non-secured method.
 Phishing 4

Here are the steps to Avoid Phishing:

• Do not click on suspicious links.

• Check the sender's email again.
• Avoid conversation with strangers.
• Avoid downloading unknown documents.
• Avoid fake gift offers.
• Reject email or message requests from strangers.
• Always remember the risk of losing important information.
 5 Phishing

If you receive such a message, do not enter any information or click on any buttons or URLs displayed, send the
email as attachment to servicedesk@pertamina.com for confirmation and wait for guidance (it could be some time
for checking procedures by information security group). If you have doubts, contact the institution through a
publicly published phone number to verify the authenticity of the message.