Social engineering is the art of manipulating people so they give up confidential information. The types of information these criminals are seeking can vary, but when individuals are targeted, the criminals are usually trying to trick you into giving them your passwords or bank information, or access your computer to secretly install malicious software which will give them access to said passwords and bank information as well as giving them control over your computer.
Cybercriminals use social engineering tactics because it is often easier to exploit your natural inclination to trust than it is to discover ways to hack your software. For example, it is much easier to fool someone into giving away their password than it is to hack their password (unless the password is really weak).
Security is all about knowing who and what to trust – Knowing when and when not to take a person at their word, when to trust that the person you are communicating with is indeed the person you think you are communicating with, when to trust that a website is or isn’t legitimate or when to trust that the person on the phone is or isn’t legitimate, and knowing when providing your information is or isn’t a good idea.
Ask any security professional and they will tell you that the weakest link in the security chain is the human who accepts a person or scenario at face value. Hypothetically speaking, it doesn’t matter how many locks and deadbolts are on your doors and windows, or how many alarm systems, floodlights, fences with barbed wire, and armed security personnel you have; if you trust the person at the gate who says he is the pizza delivery guy and you let him in without first checking to see if he is legitimate, you are completely exposed to whatever risk he represents.
Common social engineering attacks
Email from a ‘friend’ – If a cybercriminal manages to hack or socially engineer a person’s email password, they have access to that person’s contact list, too. And because many people use one password everywhere, they probably have access to that person’s social networks, banking accounts, and other personal accounts.
Once the criminal has that email account under their control, they send emails to all the person’s contacts or leave messages on all their friend’s social pages, and possibly on the pages of the person’s friend’s friends as well.
These messages may use your trust and curiosity. For example, they may:
- Contain a link that you just have to check out–and because the link comes from a friend and you’re curious, you’ll trust the link and click–and as a result, be infected with malware so the criminal can take over your machine and collect your contacts’ info and deceive them like they just deceived you.
- Contain a download such as pictures, music, movies, documents, etc., that has malicious software embedded. If you download–which you are likely to do since you think it is from your friend–you become infected. Now, the criminal may have access to your machine, email account, social networks and contacts, and the attack spreads to everyone you know. And on, and on.
These messages may create a compelling story or pretext:
- Urgently ask for your help–your ‘friend’ is stuck in country X, has been robbed, beaten, and is in the hospital. They need you to send money so they can get home, but in reality, they give you instructions on how to send the money to the cybercriminal.
- Ask you to donate to their charitable fundraiser, or some other cause, which is of course a front. Really, they’re again providing you with instructions on how to send the money to the cybercriminal.
Phishing attempts. Typically, a phisher sends an e-mail, instant message, comment, or text message that appears to come from a legitimate (and typically popular) company, bank, school, or institution.
These messages usually have a scenario or tell a story:
- The message may explain there is a problem that requires you to “verify” your information by clicking on the displayed link and provide information in their form. The link location may look very legitimate with all the right logos and content (in fact, the criminals may have copied the exact format and content of the legitimate site). Because everything looks legitimate, you trust the email and the phony site and provide whatever information the crook is asking for. These types of phishing scams often include a warning of what will happen if you fail to act soon, because criminals know that if they can get you to act before you think, you’re more likely to fall for their phishing attempt.
- The message may notify you that you’re a ‘winner’. Perhaps the email claims to be from a lottery, or a dead relative, or a site claiming that you’re the millionth person to click, etc. In order to claim your ‘winnings’, you have to provide information, such as your bank routing number, so they know how to send it to you, or give your address and phone number so they can send the prize, and you may also be asked to prove who you are often being asked to provide your Social Security Number. These are the ‘greed phishes’ where even if the story pretext is thin, people want what is offered and fall for it by giving away their information, then having their bank account emptied and identity stolen.
- The message may ask for help. Preying on kindness and generosity, these phishing attacks ask for aid or support for whatever disaster, political campaign, or charity is trending at the moment.
Baiting scenarios. These socially engineering schemes know that if you dangle something people want, many people will take the bait. These schemes are often found on Peer-to-Peer sites offering a download of something like a hot new movie or music album. But these schemes can also be found on social networking sites, malicious websites you find through search results, and so on.
Alternatively, the scheme may show up as an amazingly great deal on classified sites, auction sites, etc.. To allay your suspicion, you can see the seller has a good rating (all planned and crafted ahead of time).
People who take the bait may be infected with malicious software that can generate any number of new exploits against them and their contacts, may lose their money without receiving their purchased item, and, if they were foolish enough to pay with a check, may find their bank account empty.
Response to a question you never had. Criminals may pretend to be responding to your ‘request for help’ from a company while also offering additional help. They pick companies that millions of people use like a large software company or bank. If you don’t use the product or service, you will ignore the email, phone call, or message, but if you do happen to use the service, there is a good chance you will respond because you may actually need help with a problem.
For example, even though you know you didn’t originally ask a question, you may have a problem with your computer’s operating system (such as slow-downs) and you seize on this opportunity to get it fixed, for ‘free’ no less. The moment you respond, however, you have bought the crook’s story, given them your trust and opened yourself up for exploitation.
The representative, who is actually a cybercriminal, will need to ‘authenticate you’, have you log into ‘their system’ or, have you log into your computer and either give them remote access to your computer so they can ‘fix’ it for you, or tell you the commands so you can ‘fix’ it yourself with their ‘help’. In actuality, some of the commands they tell you to enter will open a way for the criminal to get back into your computer later.
Creating distrust. Some social engineering is all about creating distrust, or starting conflicts; these are often carried out by people you know and who are angry with you, but it is also done by nasty people just trying to wreak havoc, people who want to first create distrust in your mind about others so they can then step in as a ‘hero’ and gain your trust, or by extortionists who want to manipulate information and then threaten you with disclosure.
This form of social engineering often begins by gaining access to an email account or other communication account on an IM client, social network, chat, forum, etc. They accomplish this either by hacking, social engineering, or simply guessing really weak passwords.
- The malicious person may then alter sensitive or private communications (including images and audio) by using basic editing techniques and forward these to other people to create drama, distrust, embarrassment, etc. They may make it look like it was accidentally sent, or appear like they are letting you know what is ‘really’ going on.
- Alternatively, they may use the altered material to extort money either from the person they hacked, or from the supposed recipient.
There are literally thousands of variations to social engineering attacks. The only limit to the number of ways a cybercriminal can socially engineer users through this kind of exploit is the their imagination. And you may experience multiple forms of exploits in a single attack. Afterwards, the criminal is likely to sell your information to others so they too can run their exploits against you, your friends, your friends’ friends, and so on, as cybercrooks like to leverage people’s misplaced trust.
Don’t become a victim
- Slow down. Spammers want you to act first and think later. If the message conveys a sense of urgency, or uses high-pressure sales tactics, be skeptical and never let their urgency influence your careful review.
- Research the facts. Be suspicious of any unsolicited messages. If the email looks like it is from a company you use, do your own research. Use a search engine to go to the real company’s site. You can also find their real support phone number listed on the site.
- Delete any request for financial information or passwords. If you get asked to reply to a message with personal information, it’s a scam.
- Reject requests for help or offers of help. Legitimate companies and organizations do not contact you to provide help. Furthermore, if you did not specifically request assistance from the sender, consider any offer to ‘help’ restore credit scores, refinance a home, answer your question, etc., a scam. Similarly, if you receive a request for help from a charity or organization that you do not have a relationship with, delete it. To give, seek out reputable charitable organizations on your own to avoid falling for a scam.
- Don’t let an email link control dictate where you land. Stay in control by finding the website yourself by using a search engine to be sure you land where you intended to. Hovering over links in an email will show the actual URL at the bottom, but a good fake can still steer you wrong.
Curiosity leads to careless clicking–if you don’t know what the email is about, clicking links is a poor choice. Similarly, never use phone numbers from the email as it is easy for a scammer to pretend you’re talking to a bank teller, a support agent, etc.
- Secure your computing devices. Install an effective anti-virus solution that can keep up with ever-evolving threats. Make sure to keep your OS and browsers updated, and if your smartphone doesn’t automatically update, make sure to manually update it whenever you receive a notice to do so.
- Email hijacking is rampant. Hackers, spammers, and social engineers gaining access to people’s emails (and other personal accounts) has become commonplace. Once they control someone’s email account, they prey on the trust of all that person’s contacts. Even when the sender appears to be someone you know, if you aren’t expecting an email with a link or attachment, be sure to check with your friend before opening links or downloading. Even then, the legitimacy of the links isn’t guaranteed, which is why it’s critical to be using anti-virus software.
- Beware of any download. If you don’t know the sender personally AND expect a file from them, downloading anything is a mistake.
- Foreign offers are fake. If you receive email from a foreign lottery or sweepstakes, money from an unknown relative, or requests to transfer funds from a foreign country for a share of the money, it is guaranteed to be a scam.
- Set your spam filters to high. Every email program has spam filters. To find yours, look under your settings options, and set these to the highest setting; just remember to check your spam folder periodically to see if legitimate email has been accidentally trapped there. You can also search for a step-by-step guide to setting your spam filters by searching on the name of your email provider plus the phrase ‘spam filters’.