Social Engineering is a pretty hot topic nowadays. It seems like every time you turn around there is another story about a major corporation, important person or institution whose data has been compromised. Often, these hacks began with an email that shouldn’t have been opened, or the revealing of information that should never have been told.
No, these attacks are not the brainchild of some evil tech genius, cranking out infected code and overrunning systems with malware. Rather, they are the results of an art that dates back as far as human existence, when the first cave man convinced the second cave man that it was entirely worthwhile to trade his woolly mammoth for a handful of rocks.
At its most basic level, Social Engineering is the usage of psychological manipulation to dupe people into revealing sensitive data. Social Engineering, as defined by SocialEngineering.org, is “any act that influences a person to take an action that may or may not be in their best interest”. It’s all about convincing targets to open up and divulge information on their own volition.
Often the fraudster, or as they are known in the cyber security world, malicious actor, is after confidential corporate data, but don’t be fooled into thinking these guys aren’t after you and your information. These crooks are just as interested in the little guys as they are the big ones, and if they think they can cause you and your money or information to part ways, they will try to arrange it.
Con men and tech – a dangerous combo
Social engineering isn’t limited to the realm of cyber security. It’s just that when done in conjunction with a technical aspect, the combo is a potent one. This dangerous mix has tons of manifestations but some typical scenarios go like this:
- You get an email from an organization called “Save the baby armadillos!” asking you to download their special report or ebook to find out how you can make the lives of millions of armadillos a little brighter. Or maybe it’s an email imploring you to “Click the link below to read the funniest joke ever!”
- Your grandmother gets a call from “her bank”. They tell her that someone tried to access her account. The “representative” tells her she needs to give them her email address and they will send her a form to fill out with her banking info and they will report the incident.
- Your spouse gets a job offer from someone on LinkedIn. You can’t really find much information about the company, save for a website that seems pretty low on stats…But the benefits would be awesome. All they need is your bank account information and social security number. “The accounting department needs this information to set things up.”
These are social engineering scenarios using some of the most potent tools that online charlatans have in their pockets like:
Phishing: This involves the use of emails or websites to convince targets to download malware or disclose sensitive information.
Pretexting: Creating a plausible backstory to extract information, such as calls or emails from banks stating that someone tried to use your card so you have to verify your bank information. Or it may be an email from “your IT department” saying that they have a new phone number. “From now on, for all IT issues call us at….” Often, this method uses the concept of an authority figure, such as a bank manager or IT personnel, to compel people to reveal information
Baiting: Think of this as the proverbial carrot on a stick. Someone shows you something you want, but the offer seems too good to be true. You want it so badly that you’re willing to do things that might not be in your best interests, but they’ve got their hooks so deep into you that you can’t resist.
These are some of the most common ways creeps use deception and technology in tandem. Sound scary? Well it’s not great but there are some things you can do to keep yourself, your family and your information safe.
How to avoid falling prey to social engineering
1. Never open email attachments or click embedded links
That email with the attachment that says “You have to read this!” can harbor dangerous malware. If it does, once you open and run the attachment, you’ll have given that virus, trojan or spyware permission to infiltrate your computer.
2. Don’t give out information over the phone
If “your bank” calls you and says they need certain information, tell them you will call them back. Hang up, go to your bank’s website to get the phone number, or get it from the back of your banking card, and call them. You can them ask the representative at the bank (now you’re sure it’s the bank) whether the call you received was legit or not.
3. Check all website URLs
A common tactic used by Social Engineering scammers is to create a spoof website and hope that people who aren’t too discerning will think that the website is real. Generally, just by looking at the URL (website address) you can see if it looks right. If something seems odd about it, stay away.
4. Educate yourself, and your loved ones
Education is the best way to stay up-to-date on the latest scams, because tactics change constantly. Just being aware that people are out to get you should keep you on your toes. Let your friends and family know just how real the issue is and keep them updated as well.
5. Be a general skeptic
If you are from New York, you’re probably already a pro at this. If not, learn to think like a New Yorker and don’t believe nobody for nothin’. There is nothing a conman likes better than an easy target, technical savviness aside. Keep your radar up all the time and remember–if something seems too good to be true, it probably is.
6. Install a strong antivirus
How can an antivirus program stop physical criminals in their tracks? Think about it this way. We already know that infected attachments and phishing emails are two of the tools these creeps to ensnare victims. Make sure your antivirus has a powerful attachment scanner and a strong spam filter to catch those phishing emails before they land in your inbox.
Threat Emulation is the powerful tool that comes with ZoneAlarm’s antivirus software and makes sure that you don’t open dangerous attachments. If you do get a sketchy looking attachment in your inbox, check it first using Threat Emulation to make sure the attachment is safe. This is your number 1 way of ensuring that you’re protected from sketchy Social Engineering emails.
Now your part is to use your head. All the spam blockers, attachment filters and articles about how to avoid social engineering in the world can’t help you if you turn off your brain while you’re on the internet. Don’t get caught up in the moment or act without thinking.
In the words of Mad Eye Moody “Constant Vigilance!” And that’s your job – to employ constant vigilance.
Have you ever been the victim of Social Engineering?