WSJ reports that hackers "broke" into Twitter's security by some simple, but effective, social engineering. Sometimes people call one person, "sweet talk them" and get a bit of information. They use that information to get to the next person and get high level access.
When you get a phone call asking for information, any information, be wary, be cautious, verify who is speaking with you.
The WSJ article reads "“This attack relied on a significant and concerted attempt to mislead certain employees and exploit human vulnerabilities to gain access to our internal systems,” Twitter said Thursday via tweet."
A few things you can do:
- Don't click on links, go directly to the link you know and trust.
- Call back someone, on the number YOU know.
- If it's a phone call, ask questions that only you and the other person would know about
- Have limits and procedures on financial, technology, HR and other important changes
The US Governments Cybersecurity and Infrastructure Agency writes:
- Be suspicious of unsolicited phone calls, visits, or email messages from individuals asking about employees or other internal information. If an unknown individual claims to be from a legitimate organization, try to verify his or her identity directly with the company.
- Do not provide personal information or information about your organization, including its structure or networks, unless you are certain of a person's authority to have the information.
- Do not reveal personal or financial information in email, and do not respond to email solicitations for this information. This includes following links sent in email.
- Don't send sensitive information over the internet before checking a website's security. (See Protecting Your Privacy for more information.)
- Pay attention to the Uniform Resource Locator (URL) of a website. Look for URLs that begin with "https"—an indication that sites are secure—rather than "http.”
- Look for a closed padlock icon—a sign your information will be encrypted.
- If you are unsure whether an email request is legitimate, try to verify it by contacting the company directly. Do not use contact information provided on a website connected to the request; instead, check previous statements for contact information. Information about known phishing attacks is also available online from groups such as the Anti-Phishing Working Group. (See the APWG eCrime Research Papers).
- Install and maintain anti-virus software, firewalls, and email filters to reduce some of this traffic. (See Understanding Firewalls for Home and Small Office Use, Protecting Against Malicious Code, and Reducing Spam for more information.)
- Take advantage of any anti-phishing features offered by your email client and web browser.