Professional Documents
Culture Documents
SOCIAL
ENGINEERING
To many people the term social engineering is an
unfamiliar one.
Social Engineering
1
Social 2
Engineering If someone phones or appears and
asks you for information that you
Defense know is confidential company,
client or personal information,
don’t be afraid to ask them a few
questions yourself.
In Person:
1. Ask for some identification.
2. Ask who has authorized this request so
you may verify the authorization.
3. If you are not authorized to provide By phone:
that information, offer to locate the
Ask for the correct spelling of
correct person.
the caller's name.
4. Seek assistance if you are unsure.
Ask for a number where you
can return the call.
Ask why the information is
needed.
Ask who has authorized the
request and let the caller
know that you will verify the
authorization.
3
Phishing
A new form of social engineering using e-mail is called "phishing." The term phishing refers to e-mail
messages that are sent as bait in an attempt to fool the recipient into providing personal or private
information. Usually the information requested would be sufficient to obtain access to the person's
financial accounts or to open new accounts under fraudulent pretenses.
The messages are cleverly disguised to look as though they originated from the official source. They
may ask you to "verify your account information", "update your account profile", or some other tactic
to get you to enter confidential information. Any information you enter, may be used for illegitimate
purposes such as monetary withdrawals, fraudulent purchases, or further identity theft.
The sender's of these types of messages are clever and constantly look for new ways to make the
messages look genuine and official. Don't take the bait! Any reputable and secure organization would
not send you an e-mail requesting your account information. They already have it and will probably
never ask you to update your information in this manner. They will not ask for your account number,
social security number, driver's license, mother's maiden name or other confidential information
through a non-secured method.
Phishing 4
If you receive such a message, do not enter any information or click on any buttons or URLs displayed, send the
email as attachment to servicedesk@pertamina.com for confirmation and wait for guidance (it could be some time
for checking procedures by information security group). If you have doubts, contact the institution through a
publicly published phone number to verify the authenticity of the message.