Leadership Letter
February 2022

ASK COUNSELOR TARA
ASCE’s General Counsel Tara Hoke responds to legal questions posed by Sections and Branches here each month. Send Tara an email with your question.
How can we ensure we don’t fall for ‘social engineering’ scams?
In the world of information security, “social engineering” is roughly defined as any scheme that uses psychological tactics to trick individuals into exposing sensitive information and/or compromising their information systems. While there are no shortage of infamous examples of breaches affecting large private companies (Experian, Marriott) and public agencies (U.S. Office of Personnel Management, Virginia Department of Health Professions), it is unfortunately true that even smaller nonprofit or for-profit organizations are not safe from the risk of a social engineering scam.

Here are some of the most common types of social engineering:

  1. Phishing: In a phishing scheme, the scammer sends out a generic email purporting to be an “official” communication from a bank or other trusted vendor; e.g., “Dear Bank of America Customer: We have received a request to transfer $1,895 from your checking account. If you did not authorize this transaction, please click here to reject the transaction: www.fakebank.com.”  While this type of scheme is fairly unsophisticated (many recipients may not even have a Bank of America account), the scammer hopes to trick even a few of the email recipients into clicking the link and perhaps exposing their credentials.
  2. Spear phishing: This is the more sophisticated version of phishing, where the scammer’s efforts are targeted at someone on the basis of information known to the scammer. For example, a spear phisher might spoof the email address of a company’s CEO and send a message to the staff accountant directing them to make a payment on their behalf.
  3. Baiting: In a baiting attack, the scammer offers something to tempt a victim into action. The “bait” can be obvious, such as an offer of a free gift card for clicking a link, or it can be more subversive; e.g., an email that appears to be from a company executive with an attachment titled “Salary Information” or “Reduction in Force Plan.” 
  4. Pretexting involves telling a story designed to prompt someone to send money or to give up information. For example, the scammer may send an email or text claiming to be a relative in need of an emergency loan, or identifying themselves as a law enforcement or regulatory agency threatening legal action.
  5. Scareware: In this case, the scammer inserts a malicious code on a webpage that causes a pop-up window (usually with flashing colors and alarms) to appear, claiming to be alerting the target of a virus on their computer. Here, the aim is to trick the target into clicking a link or downloading software to “correct” the problem—and anyone who does so gives the scammer access to their system, credit card information, or both.
In all cases, “social engineering” scams rely on creating a sense of urgency, in hopes that the would-be victim will act without taking the time to think about any “red flags” or other irregularities that might expose the scheme. For that reason, perhaps the best protection against social engineering schemes is to give heightened scrutiny to any request that claims an emergency or urges immediate action.

For more information on social engineering and how it may affect your role as volunteer leader, stay tuned for an upcoming webinar on this subject to be hosted by ASCE’s Leader Training Committee.