Social engineering is a phrase used for a wide range of malicious activities achieved through human interactions.
Social engineering is particularly dangerous because it relies on mistakes made by a person, instead of weaknesses and flaws in operating systems and software. Mistakes made by humans are less obvious, making them harder to recognize and prevent.
Users are tricked into providing confidential information such as usernames, passwords and other personal details.
Cybercriminals use deceptive practices to gain this information and then use it for malicious purposes which can include identity and financial theft, malware infections and data theft and loss.
There are many ways that social engineering attacks can happen, here are a few examples of the most common types of attacks.
Phishing
Phishing is done by sending an email or text message that looks like it is coming from a legitimate source like a friend, co-worker or business. The message may contain a link that directs you to a malicious website where you are prompted to provide your username, password, bank account information, Social Security number or other private, confidential information.
Spear phishing targets a single person or company and can look like it is coming from someone within the company, often someone in a position of authority or someone known to the person. The intent is to gain trust and steal information.
Baiting & Quid Pro Quo Attacks
Baiting can be delivered in a variety of ways including USB drives, CD’s & DVD’s, ads, email, social media and websites. The baiter relies on the user wanting to receive the “prize or freebee” being offered. When the victim falls for the scam, the result can be theft and malware infection.
Quid pro quo attacks start with a scammer promising you something valuable if you provide them with what they are asking for.
This can be in the form of a free product or service, a prize, a coupon or discount or a free trial. To receive the offer, you may be asked to pay a fee, provide confidential information, or grant them access to your device.
Smishing & Vishing
Similar to phishing, smishing and vishing use phone calls or text messages to trick users into providing personal and confidential information about themselves or the company they work for. Smishing usually comes in SMS/text messages while vishing can come via phone including robocalls and voice mail. A smishing attack may be a text message that contains a link to a fraudulent website. Opening the link can result in theft or malware infections.
During a vishing attack the caller may ask for information like your name, credit card number, address, Social Security number, bank account number or other private information. They may ask you a question that you are likely to respond “yes” to and then record your voice. The recording can then be used to impersonate you and gain access to your accounts.
Contact Hacking
This is when a hacker gains access to your social media or email accounts and steals your contact information. Once they acquire this information, they can target those people with malicious email and social media messages to trick them into providing personal information or download malware.
Pretexting
Pretexting usually involves someone impersonating another person such as a friend, coworker, company you do business with, the IRS and others. They press you to provide information to them. You may be contacted online, by phone or text message or in person, for example they may ask you to fill out a survey or other document. The intent is to build trust and steal confidential information.
Rogue Attack-Scareware
Victims are often inundated with false alarms and bogus threats. Users are tricked into believing their computers, tablets or smartphones are infected with malware, prompting them to install software to fix the problem but the software they install does not fix the problem it actually installs malware on the device that often gives the attacker remote access.
A popup may be displayed on your device notifying you that you have been infected with malware and must call a number displayed on the screen and pay to have the malware removed.
These are just a few examples of social engineering attacks, certainly not a complete list.
How to Stay Safe
Check the Source
Stop and think about what is taking place. Where is the communication coming from? Do you feel pressured to provide information? Why would the person need this information? If it appears to be coming from someone you know contact that person directly. Don’t reply to any type of communication until you have verified it is legitimate.
Is it Realistic?
Some of these scams involve telling you that a friend or family member is in trouble. For example, they may pretend to be your Grandson who is in jail and needs bail money. Or a friend who is stuck in a foreign country and cannot get home unless you send money. Again, check the source. Call your Grandson or friend directly.
Keep Company Information Private
Do not provide information about your company to anyone that is not a trusted source.
Secure your Devices
Keep the operating system on your computers, tablets and smartphones up to date. Install antivirus software on your devices, keep it up to date and run regular scans.
Use a passcode or other security type to lock your devices.
Practice Password Safety
Never use the same password more than once.
Choose a strong, long password that is a combination of numbers, letters and special characters.
Never share your passwords with others.
Change your passwords regularly.
Use a secure password manager to save your login information.
Enable multifactor authentication.
Avoid Sharing on Social Media
We share far too much on social media and these sites are prime targets for criminals looking to gather personal information about you. They can scan your site and build a profile on you. Businesses often use personal information for security questions, so knowing your birthday or the school you attended can make it easier to hack your accounts. Scammers design social media quizzes and games to trick you into answering personal questions.
Personal information can also be used to open fraudulent accounts. Normally, a thief will need to know your Social Security Number to open a credit card account or take out a loan in your name. But if they already have access to your Social Security number, which is quite possible considering the major data breaches that have taken place they can use other information gathered from your social media account such as your name and birthday to open accounts and steal your identity. Social media is a breeding ground for criminal activity. Don’t share pictures, your children’s names and information, your schedule, your vacation plans, your location, phone number, email address, date of birth, place of birth, workplace or anything confidential. You are essentially giving criminals all they need to build a detailed profile on you and your family. This along with what is cultivated from the many data breaches that have occurred gives them information about every detail of your life. It is like giving them a key to your personal filing cabinet and family history. This information is sold on the dark web and used for various kinds of criminal activity putting you and your family in danger.
Be Careful Meeting People Online
A connection with someone you have never met can be dangerous. Always practice caution when interacting with someone you have met online and don’t know personally.
Other Safety Tips
Don’t leave your laptop, tablet or smartphone unattended. They can easily be stolen.
Never plug an unknown USB device into your computer or laptop.
Never respond to a request for confidential information or passwords. No legitimate company or person will ever ask for this information.
Beware of any downloads. Don’t click on download links or open email attachments you are not sure of.
Don’t answer calls or text messages from unknown numbers.
Freeze your credit. It is free to freeze your credit and it takes just a few minutes. This can be done online or by calling the three major credit bureaus, Experian, TransUnion and Equifax. If a scammer has obtained your private information freezing your credit can prevent them from opening credit accounts in your name.
Hover your mouse over links to see if they direct you to a different site than what you are expecting.
Be suspicious anytime an email, text message or phone call tries to instill a sense of urgency or fear.
Check messages for spelling, language and grammar errors.
Don’t be afraid to hang up the phone. If anything seems out of the ordinary or you are suspicious of the caller hang up.
Delete and do not open email message that you are suspicious of.
Remember the old saying “There’s no such thing as a free lunch” if something sounds too good to be true it probably is.
The Tech Minimalist 