Online social engineering
Like most aspects and characteristics of everyday life, social engineering transferred to the world wide web too, as soon as it could. For those of you who are unaware what social engineering is, here is a definition provided by Linda Criddle: “Social engineering is the art of manipulating people so they give up confidential information.” Every Nigerian prince that contacted you offering gold or diamonds in return for a hundred dollars is actually a criminal using one of various social engineering attacks to trick you. We’re gonna go over two of the most common social engineering attacks and explain how to protect yourself from being tricked.
The two most common forms of online social engineering
In the case of the aforementioned Nigerian prince, we’re talking about the most common form of a social engineering attack — phishing. Phishing is using a message sent via e-mail or any other form of internet communication like an instant message or comment. At a first glance, it looks like a legitimate person or institution. Inside the message, they’re telling a story about how, for example, your bank account was blocked and you need to fill up a standard form with some information about it to unblock it. If you don’t fill in the form and send it by tomorrow, your funds will be lost. You click on the form link and fill it in with your bank card number, expiration date and CSV. And when you submit the form, your bank account is suddenly emptied. That’s the ideal scenario for a phisher. They successfully created pressure and stress by putting you in an urgent situation and forced you to react fast and without thinking. If you ever get a message like that from an institution like the IRS or a bank, the best course of action is to slow down. Think it through and focus on the details. If you take a closer look at the form, you probably won’t find a mistake — they are usually copied from your banks’ site and look legitimate. Until you notice that the website is not “yourbank.com” but “yourbnak.com”. If you’re ever having doubts, google the official website and call the customer service phone number there. Don’t use links or telephone numbers provided by the mail. Phishers usually replace them with their own links and telephone numbers and confirm that you need to fill in the form or, to make it faster, just tell them the information via the telephone.
The second common form of a social engineering attack we’ll mention is baiting. You will get an offer you can’t refuse — download your favourite actors’ new film that just arrived to cinema for only $0.99! Get the newest game you want to play (but you’re not willing to pay) by directly downloading it for free! Or the most common one, an internet classic — hot girls in your area that want to meet up with you! All of those are baits and clicking them takes you to a malicious site. Those sites provide a program to download and run. When you click on it and give it permission, you run a virus or give remote access to your PC to the person who set up the bait. Then, everything on your PC is up for taking — saved passwords, saved credit card information etc. The best course of action is to simply ignore offers like that. If it’s too good to be true, it’s not true. Period.
How to stay safe
Online social engineering is widespread and you will definitely run into at least one of the two aforementioned attacks. As we stated before, the most important thing when faced with some special offer that’s too good to be true or an urgent request for help is: slowing down. Do your research and google everything — the website, the e-mail address it was sent from, and find the facts. You probably won’t be the first person to google it and you might find an answer right away, usually from other people who got the same offer or request.
If anyone is asking you for your financial information or passwords — it’s an attack. Banks, online shops and other websites have all the sensitive information stored on their servers. They will never ask you to send it via e-mail. If you need to confirm any personal information, it’s a scam.
Unfortunately, with e-mail hijacking and theft being a growing phenomenon, you should also be careful with e-mails from friends. Be wary of links and downloads that your friends send you. You might get an e-mail from a friend telling you to check out some special offer. If you didn’t previously mention the website your friend is referring you to, try to respond to the mail and start some form of conversation to see if you’re actually dealing with a bot or a scammer.
You should always have an up-to-date antivirus and firewall, alongside with e-mail spam filters. Just make sure to check your spam folder every once in a while to see if any e-mail that should’ve passed the filter somehow got stuck in there.