Social engineering is the art of manipulating people so that they give up confidential information. The types of information these criminals seek can vary, but when individuals are targeted, the criminals are usually trying to trick you into giving them your passwords or bank information, or access to your computer to secretly install malicious software that will give them access to this information, as well as control over your computer.
In 2014 there was an influx in all forms related to cybersecurity. However, social engineering could be one of the easiest forms for cybercriminals to obtain confidential, private, and important information from everyday people. Criminals use social engineering tactics because it is usually easier to exploit your natural inclination to trust than it is to discover ways to hack your software. For example, it is much easier to fool someone into giving you their password than it is for criminals to try hacking your password.
The risks associated with social engineering as just as serious as the countless attacks and breaches that have been flooding recent headlines. Attackers know that most people take security measures for granted and feed off this dependency, which is why understanding what social engineering is, and the types of lures that are usually used, is the first step towards preventing them. The simplest, yet most effective way to protect yourself from social engineering threats is to be aware of how it works and how these methods hook their victims. To better understand what these are, here's a list of the most common social engineering hacks:
Baiting involves dangling something you want in front of you to entice you to take an action the criminal desires. It can be in the form of a music or movie download on a peer-to-peer site, or it can be a USB flash drive with a company logo labeled "Executive Salary Summary Q1 2014" left out in the open for you to find. Then, once the device is used or downloaded, the person or company's computer is infected with malicious software, allowing the criminal to advance into your system.
Phishing involves false emails, chats, or websites designed to impersonate real systems with the goal of capturing sensitive data. A message might come from a bank or other well known institution with the need to "verify" your login information. It will usually be a mocked-up login page with all the right logos to look legitimate.
Pretexting is the human equivalent of phishing, where someone impersonates an authority figure or someone you trust to gain access to your login information. It can take form as fake IT support needing to do maintenance, or a false investigator performing a company audit. Someone might impersonate co-workers, the police, tax authorities or other seemingly legitimate people in order to gain access to your computer and information.
Quid Pro Quo:
Quid Pro Quo is a request for your information in exchange for some compensation. It could be a free T-shirt or access to an online game or service in exchange for your login information credentials, or a researcher asking for your password as a part of an experiment in exchange for $100.
Tailgating is when someone follows you into a restricted area or system. Traditionally, this is when someone asks you to hold the door open behind you because they forgot their company card. But this could also take the form of someone asking to borrow your phone or laptop to perform a simple action, when they are actually installing some malicious software.
Don't Become a Victim
Here are some simple ways to protect yourself from becoming a victim of social engineering:
Slow Down - Criminals using social engineering want you to act first and think later. If the message conveys a sense of urgency, or uses high-pressure sales tactics, be skeptical. Never let their urgency influence your careful review.
Research the Facts - Be suspicious of any unsolicited messages. If the email looks like it is from a company you use, do your own research. Use a search engine to go to the real company's site, or a phone directory to find their phone number.
Delete Any Request for Financial Information or Passwords - If you get asked to reply to a message with personal information, it's a scam. Simple as that.
Reject Requests for Help or Offers of Help - Legitimate companies and organizations do not contact you to provide help. If you did not specifically request assistance from the sender, consider any offer to "help" restore credit scores, refinance a home, answer your question, etc... a scam. Similarly, if you receive a request for help from a charity or organization that you do not have a relationship with, delete it.
Don't Let a Link Be In Control of Where You Land - Stay in control by finding the website yourself using a search engine to be sure you land where you intend to. Hovering over links in the email will show you the actual URL at the bottom, but a good fake can steer you wrong.
Beware of social engineering. Although we think it will never happen to us, sometimes the con artists are clever enough to fool even the most cautious people. Understanding the types of social engineering attacks is the first step towards preventing them. A good rule of thumb is to always have a good backup in place. If someone does hack in to your information and data, you'll be glad you have a copy.