Social engineering is the skill of persuading others to reveal sensitive information. The types of information sought by these criminals vary, but when individuals are targeted, the criminals are usually attempting to trick you into giving them your passwords or bank information or accessing your computer to secretly install malicious software–giving them access to your passwords and bank information as well as control over your computer.
Criminals use social engineering techniques because it is usually easier to exploit your natural tendency to trust than it is to figure out how to hack your program. It is considerably easier, for example, to trick someone into giving you their password than it is to try to hack their password (unless the password is really weak).
Knowing who and what to trust is key to security. It is critical to understand when to take someone at their word and when the person you are speaking with is who they claim to be. The same is true of online interactions and website usage: when do you trust that the website you are accessing is real or is safe to disclose your
Any security professional will tell you that the human being who accepts a person or circumstance at face value is the weakest link in the security chain. It makes no difference how many locks and deadbolts you have on your doors and windows, or whether you have guard dogs, alarm systems, floodlights, barbed wire fences, or armed security personnel; if you trust the person at the gate who says he is the pizza delivery guy and let him in without first checking to see if he is legitimate, you are completely exposed to whatever risk he represents.
What Does a Social Engineering Attack Look Like?
Email from a friend
If a criminal succeeds to steal or socially engineer one person’s email password, they have access to that person’s contact list–and, because most people use the same password for everything, they also have access to that person’s social networking contacts.
Once the criminal has control of the email account, they send emails to all of the person’s contacts or leave messages on all of their friends’ social pages, as well as maybe the pages of the person’s friend’s friends.
Taking advantage of your trust and curiosity, these messages will:
Contain a link that you really have to check out–and because the link comes from a friend and you’re curious, you’ll trust it and click–and get infected with malware, allowing the criminal to take over your machine, collect your friends’ information, and deceive them just as you were deceived.
Contain download of images, music, movies, documents, and so on that include hazardous software You become infected if you download–which you are likely to do because you believe it is from a friend. The criminal now has access to your computer, email account, social network accounts, and contacts, and the attack is spreading to everyone you know. And so forth.
Email from another trusted source
Phishing attacks are a type of social engineering tactic in which a trusted source is impersonated and a seemingly plausible scenario is concocted in order to get login credentials or other sensitive personal data. According to Webroot data, financial institutions account for the great majority of impersonated firms, while social engineering assaults such as phishing and pretexting (see below) account for 93 percent of successful data breaches, according to Verizon’s annual Data Breach Investigations Report.
Using a compelling story or pretext, these messages may:
Urgently ask for your help Your ‘buddy’ has been robbed, beaten, and is in the hospital in nation X. They require money from you in order for them to return home, and they instruct you on how to send the money to the criminal.
Use phishing attempts with a legitimate-seeming background. A phisher typically sends an e-mail, instant message, comment, or text message that looks to be from a legitimate, well-known organization, bank, school, or institution.
Ask you to donate to their charitable fundraiser, or some other cause With instructions on how to get the money to the culprit, most likely. Preying on people’s generosity and goodness, these phishers seek help or support for whatever calamity, political campaign, or charity is currently on their minds.
Notify you that you’re a ’winner.’ Perhaps the email purports to be from a lottery, a deceased relative, or the millionth person to visit their website, and so on. To receive your ‘winnings,’ you must supply information about your bank routing number so they know how to transfer it to you, or offer your address and phone number so they can deliver the award, and you may be asked to authenticate your identity, which may include your social security number. These are the ‘greed phishes,’ when people want what is given and fall for it by giving over their information, then having their bank account drained and their identity stolen.
Pose like a boss or coworker. It could request an update on an important, private project your organization is currently working on, payment information for a company credit card, or any other query disguised as routine business.
These social engineering strategies understand that if you dangle something people want, many would bite. These schemes are common on Peer-to-Peer networks that provide a download of something like a popular new movie or music. However, the scams can also be found on social networking sites, rogue websites discovered through search engine results, and so forth.
Alternatively, the strategy may appear like an unbelievable bargain on classified sites, auction sites, and so on. To assuage your fears, you can see that the vendor has a high rating (all planned and crafted ahead of time).
People who fall for the bait risk being infected with malicious software, which can develop a slew of new exploits against themselves and their contacts, and they risk losing their money without receiving it back.
Response to a question you never had
Criminals may claim to be replying to your request for assistance from a corporation while actually providing additional assistance. They choose companies that are used by millions of people, such as a software company or a bank. If you don’t use the product or service, you’ll disregard the email, phone contact, or message; however, if you do, there’s a good probability you’ll answer because you probably really need help with an issue.
For example, even though you know you didn’t ask a question, you probably have an issue with your computer’s operating system and you take advantage of this opportunity to correct it. Absolutely free! You have bought the crook’s story, given them your trust, and opened yourself up to exploitation the instant you respond.
The representative, who is actually a criminal, will need to ‘authenticate you,’ have you log into ‘their system,’ or have you log into your computer and either give them remote access to your computer so they can ‘fix’ it for you, or tell you the commands so you can fix it yourself with their help–where some of the commands they tell you to enter will allow the criminal to access your computer.
Some social engineering is all about creating distrust or starting conflicts; this is often done by people you know who are angry with you, but it can also be done by nasty people who are just trying to wreak havoc, people who want to first create distrust in your mind about others in order to then step in like a hero and gain your trust, or extortionists who want to manipulate information and then threaten you with disclosure.
This type of social engineering frequently begins with acquiring access to an email account or another communication account on an instant messaging program, social network, chat, forum, and so on. They do this through hacking, social engineering, or simply guessing extremely weak passwords.
- The malicious person may then use basic editing techniques to alter sensitive or private emails (including photographs and audio) and forward them to others in order to generate drama, distrust, shame, and so on. They may make it appear as if it was sent by mistake, or as if they are informing you of what is ‘really’ going on.
- They could even use the altered material to extort money from the person they hacked or the putative recipient.
Social engineering attacks can take thousands of different forms. The criminal’s imagination is the only limit to the number of ways they can socially engineer users using this type of exploit. In addition, numerous types of exploits may be used in a single attack. As criminals take advantage of people’s misguided confidence, the criminal is likely to sell your information to others so that they, too, can run their exploits against you, your friends, your friends’ friends, and so on.
Don’t become a victim
While phishing attempts are common, short-lived, and only require a few individuals to fall for the bait for a successful campaign, there are ways to protect yourself. Most need little more than paying attention to the details in front of you. Keep the following tips in mind to avoid being phished.
Tips to Remember:
Slow down Spammers prefer that you act first and consider later. Be wary if the communication creates a sense of urgency or employs high-pressure sales methods; never let their haste influence your careful analysis.
Research the facts Be wary of any unwanted texts. If the email appears to be from a company you use, conduct your own investigation. To find the phone number of a real company, use a search engine or a phone directory.
Don’t let a link be in control of where you land To ensure that you land where you plan to land, use a search engine to find the website yourself. Hovering over links in the email will reveal the true URL at the bottom, but a good forgery might still lead you astray.
Email hijacking is rampant. Hackers, spammers, and social engineers are increasingly seizing control of people’s email accounts (and other communication accounts). They prey on the trust of the person’s contacts after they have control of an email account. Even if the sender looks to be someone you know, if you aren’t expecting an email with a link or attachment, verify with your acquaintance before opening or downloading anything.
Beware of any download If you don’t know the sender and are expecting a file from them, downloading anything is a bad idea.
Foreign offers are fake It is a fraud if you receive an email from a foreign lottery or sweepstakes, money from an unknown relative, or requests to send payments from a foreign country for a piece of the money.
Ways to Protect Yourself:
Reject reqReject requests for help Legitimate businesses and organizations will not contact you to offer assistance. If you did not specifically request assistance from the sender, consider any offer to ‘assist’ in restoring credit scores, refinancing a home, answering your inquiry, and so on to be a scam. Similarly, if you get a request for assistance from a charity or group with which you have no affiliation, delete it. To prevent falling for a scam, look for reliable philanthropic organizations on your own.
Set your spam filters to high Spam filters are included in every email program. Look at your settings options and set them too high–just remember to check your spam folder on a regular basis to see if a real email has been mistakenly caught there. You can also look for a step-by-step tutorial to configuring your spam filters by searching for your email provider’s name plus the phrase spam filters.’
Secure your computing devices Install and maintain anti-virus software, firewalls, and email filters. Set your operating system to automatically update, and if your smartphone doesn’t, manually update it anytime you get a notification to do so. To detect threats, use an anti-phishing feature provided by your online browser or a third party.
To protect customers from web-based attacks, webroot’s threat database has over 600 million domains and 27 billion URLs. The threat intelligence that underpins all of our products allows you to browse the web safely, and our mobile security solutions provide secure online browsing to prevent successful phishing assaults.