When it comes to scams like hacking, phishing, and baiting, most of us see ourselves as the last person to fall victim to such scams. But this is exactly the kind of thinking that social engineers bank on.
Social engineering is the act of tricking someone into sharing private information, by exploiting specific qualities of human decision-making known as cognitive biases. While hackers attack and circumvent computer and online systems to steal information, social engineers instead manipulate people into granting legitimate access to confidential information.
And although social engineers mostly use technology to carry out their attacks, their deception has spread online and offline. Our best defense against these attacks, therefore, is to educate ourselves so that we recognize them as they happen.
Here are the most common attacks, how to spot them, and avoid being a victim:
- Phishing — Phishing is the most common social engineering scheme, where an attacker sends an e-mail, IM, comment, or text message that appears to come from a legitimate, popular company, bank, school, or any other institution. In a phishing attack, recipients are tricked into sharing confidential information, such as credit card or bank account numbers and PINs. People can be tricked into sharing information through messages saying there is a problem that requires them to “verify” information by clicking on the displayed link and providing information using their form. They may even ask for aid or support for a disaster, political campaign, or charity.
- Spear phishing — Spear phishing is a highly targeted type of phishing attack that focuses on a specific individual or organization. Social engineers use personal information that is specific to the recipient in order gain trust and appear legitimate. This information can come from recipients? social media accounts. Because these attacks are more specific, chances of success for attackers are much higher.
- Baiting — Attackers who use this technique rely on the assumption that if they dangle something people want, the latter will likely take the bait. They take advantage as well of people’s natural curiosity by leaving a malware-infected device (like a USB or CD) in a public space, like a bathroom or a cafeteria, where someone will likely find it. A baiting attack hinges on the premise that the person who finds the device will load it into his computer and unknowingly install the malware.
- Pretexting — Pretexting happens when social engineers make up a story with the goal of fooling recipients into providing access to confidential information. For example, they could pretend that they are part of a company’s IT department in order to acquire the recipient’s passwords or other confidential information.
- Tailgating — Tailgating is a physical social engineering tactic wherein an unauthorized individual follows authorized individuals into a secure location. An example of tailgating is when someone asks a recipient to hold the door open because they forgot their access card or asks to borrow your phone or laptop to send an email or quickly google something, but instead installs malware or steals data from the device.
In this day and age, it’s safe to assume that all sources are suspicious. No matter how legitimate an email appears, it’s safer to type a URL into your browser instead of clicking on a link. Don’t open attachments from suspicious sources. These are things most of us already know, but often overlook.
Social engineers count on their targets to follow routine and act mindlessly. Pause and ask whether that email from the bank is legitimate, if that message from “IT” has any basis, or if that humanitarian cause has set up alternative channels for donations. And as the adage goes, it’s better to be safe than sorry.
The author is BPI’s data protection officer and enterprise information security officer