As James Cagney would say, “Youdirty, double-crossing rat.” That's the sentiment credit unions andsmall banks feel after falling for “social engineering”tactics.

Social engineers pretend to be someone they're not in hopes thatyou'll fall for their ploy and click on a link or attachment theysend you that will surreptitiously download malware.

Here's an example of how social engineering works: Someonesends to one person or many people at your credit union an emailposing as a prospective member. The email might say, “Our companyis thinking about opening a business account with your creditunion. Please review our attached financial data and let me knowwhich type of account would work best for us.”

Once receivers click on the document, they inadvertentlydownload malware onto their computer.

Social engineers often use social networking to successfullydeploy attacks because it's often easier to get into your networkthat way than it is to discover ways to hack your software.

Here's an example of how easy it is for a cyber thief to attackyou through social networking. The hacker, Mr. Badman, targets ABCCredit Union. He goes to LinkedIn to see who all is affiliated withthe organization. There, he sees that Bob Beaty Brown is the chieffinancial officer and that Elizabeth Ann White is executiveadministrative assistant. Then, Badman hunts for thenames Elizabeth Ann White and Bob Beaty Brown on Facebook.

Lo and behold, not only are they both there, Brown's profile ismarked “public,” so anyone can see his page. There it shows heworks for ABC Credit Union, and he just so happens to have recentlyposted photos of him and his wife, Cathy, from their recent trip tothe Bahamas. Badman calls up ABC and asks for Elizabeth's email. Hethen sends her an email saying, “Hi Elizabeth. I had dinner in theBahamas with Bob and his wife, Cathy. He asked that I email you theattached receipt.” Elizabeth then clicks on the attachment andunwittingly downloads malware onto her computer.

Social networking sites can be a great way to promote yourcredit union, but they could also wreak havoc if you're not careful with what information you share.

Train your employees to use social networking sites securely. Bewary of friend requests from people you don't know just becausethey are “friends” of your friends. Keep your Facebook account onprivate settings.

Be wary of clicking on any links without hovering over them tosee where they actually lead. For example, they might click on alink that says cutimes.com, but the link mightreally be set to another domain. In this case, I have set that linkto take you to Secureworks.com, but a hacker could set that link tosome other domain that would download malware once you click on thelink. Don't click on any shortened links, such as bit.ly/1aY2bGy,because when you hover over the shortened links with your mouse,you still can't see the actual domain the link takes you to.

It would be nice to be able to trust everyone, but when youdon't “trust but verify,” you often end up communicating with arat. And that stinks.

JeffMultz is security evangelist/director,Midmarket North America, for Dell SecureWorksin Atlanta.