Introduction to Social Engineering
If you have ever been tricked into giving your password to a fake website, you’ve been the victim of Social Engineering. Social Engineering is the “use of deception to manipulate individuals into divulging confidential or personal information that may be used for fraudulent purposes”. To put it simply, social engineering involves a criminal tricking you into giving up information that you wouldn’t otherwise want to give them. This is usually done by appealing to your emotions and creating a sense of urgency that is designed to make you not think rationally. This can occur both online and in-person. However, the most common forms of social engineering occur online.
What Does it Look Like?
Social engineering can take many forms, both online and in-person. Below are some of the most common and effective ways that criminals extract information from unsuspecting victims:
- Baiting: This strategy involves leaving a USB or other physical device where an unsuspecting victim will find it and hopefully insert it into their computer. The USB could contain malware, ransomware, or other spyware to collect information for criminals looking to make a profit.
- Phishing: By far the most common strategy and one that fills your spam inbox every day. Phishing involves sending an email or text to the target that usually contains a link to either a malware downloader or a fake website. Phishing attacks are considered a ‘shotgun approach’, meaning the criminals don’t necessarily know who their targets are. Instead, they try to get their message out to as many people as possible hoping that a few of them will click the link.
- Spear Phishing: Spear Phishing is a targeted version of phishing where criminals will try to craft emails that are indistinguishable from real ones in order to extract large amounts of money from companies. Spear phishing will usually target high ranking executives, people in Human Resources and Finance, or employees with a large number of privileges, such as system administrators. In order to make their emails look real, spear phishers are usually already in the companies email system before they attempt to imitate emails such as third-party invoices or purchase orders.
- Email Hacking/Content Spamming: Another more targetted type of phishing. Criminals using this strategy will compromise one email account and then send malicious links to all of the victims' contacts. In this case, the emails have some credibility to them, since they are coming from a known contact.
- Pretexting: This strategy can take place both online and in-person. Criminals will try to lure potential victims in with a story that sounds too good to be true (think Nigerian Prince offering you his fortune) in return for some personal information. This information is usually social security numbers or bank information that is needed in order to prove your identity.
- Quid Pro Quo: Another strategy that can be performed both online and in-person. The most common example of a quid pro quo attack is a criminal pretending to be tech support. To someone who is not technically literate, they may be confused by the jargon used by the criminals and believe that they are there to help. In reality, they give themselves access to your entire computer and can do whatever they want with it.
- Tailgating: A purely in-person strategy that involves following someone with elevated privileges into an area that they are not authorized to go into. This may be as simple as pretending to be a janitor who forgot their keys to the server room.
As with all types of security attacks, there are safeguards that we can take to lower our own risk and stay safe. It’s important to understand that none of these attacks would be possible without the victim enabling them. As a result, many of the prevention tips revolve around the victims’ mindset:
- Consider the source: If your bank was having an issue with your account, they would either call you directly or ask you to call their hotline.
- Slow down: Many of these attacks are designed to create a sense of urgency. Take a step back and evaluate the facts before doing anything that may put your information in danger.
- Don’t click on suspicious links or attachments: Always do your due diligence of hovering over links and thinking about the content of attachments before clicking them. If you have any doubts about the authenticity of the email or the sender, do not click on any link or attachment.
- If it sounds too good to be true, it is: Unfortunately, no one is going to offer you millions of dollars from a contest that you didn’t enter.
- Don’t hold open locked doors for strangers: This tip is for those of us who work in office buildings with keycards. It’s important to understand that being polite shouldn’t come at the cost of security and if you don’t know the person behind you, don’t hold the door open for them without seeing their keycard.
- Don’t trust everything that you receive from contacts: More people are getting hacked every day. Just because someone is in your contact list doesn’t mean that everything that they send you is safe. Always do your due diligence with regards to links and attachments.