What is social engineering?
When most people hear the term “social engineering” they think of a specific program designed to change society. However, in the context of cybersecurity, it has a somewhat different connotation.
The security publication, CSO, defines social engineering as “the art of harnessing human psychology, rather than tech hacking techniques, to gain access to buildings, systems or data.”
Kevin Mitnick, now a renowned computer security consultant, one of the most famous hackers of the 20th century, popularized the term in the 1990s.
According to Terranova Security, the nine most common categories of social engineering are:
Phishing: tactics include deceptive emails, websites, and text messages to steal information.
Phishing: email is used to carry out targeted attacks against individuals or businesses.
Baiting: an online and physical social engineering attack that promises a reward to the victim.
Malware: victims are tricked into believing that malware is installed on their computer and if they pay, it will be removed.
Pretext : uses a false identity to trick victims into disclosing information. Artificial intelligence has made it possible for criminals to clone a person’s voice and send you a message using that person’s voice.
Misunderstanding: relies on an exchange of information or services to convince the victim to act.
Tailoring: relies on human trust to give the criminal physical access to a secure building or area.
Vishing: urgent voicemail messages convince victims that they need to act quickly to protect themselves against arrest or other risks.
Water hole : an advanced social engineering attack that infects both a website and its visitors with malware.
How to spot a social engineering attack
Email from friend or relative– If a cybercriminal is able to hack or socially manipulate a person’s email password, then he has access to that person’s contact list. Since many people use a password everywhere, they will likely have access to that person’s social media contacts as well.
The next step is to email all of the person’s contacts or post to all of their friends’ social pages, and maybe the person’s friend’s friend pages.
These emails usually contain a link or download of media content. Since you trust the source, you click, infecting your device and / or your network.
Email from another trusted source—These messages can be an urgent plea for help asking for money due to a tragic situation. Another phishing scam involves sending an email, instant message, comment, or text message that appears to be from a legitimate and popular business, bank, school, or institution. The message may ask you to donate to your favorite charitable cause. Another trick uses fear by presenting an issue that doesn’t exist, such as an issue with the IRS, and then asking you to fill out a seemingly legitimate form or click on a link. Another version is to let you know that you have a problem with your computer and ask for “verification” information before you resolve your problem. They will also issue a warning of dire consequences if you don’t act quickly. One technique that capitalizes on greed is to send a message that you have won the lottery, inherited the money, etc. You will then be asked to provide personal information such as bank routing number, social security number, address, and phone number. The email might appear to be from a boss or coworker asking you for confidential information or even asking you to send money to a specified account.
Some social engineering involves creating mistrust or triggering conflicts; these attacks are often carried out by people you know who are angry with you, but they are also carried out by people just trying to wreak havoc, or by people who want to create mistrust in your mind first towards others so that they can then pretend to be the one who can solve the problem and then gain your trust, and finally, by extortionists who want to manipulate information about you and then threaten you with disclosure.
This type of social engineering often starts with accessing an email or other communication account on an instant messaging client, social network, chat, forum, etc.
Some useful tips
To slow down. Spammers want you to act first and think later.
Get the facts. Beware of unsolicited messages. If the email appears to be from a business you use, use a search engine to go to the real business’s site or to find their phone number.
Be careful when clicking on the links– hovering over the links in the email will display the actual URL at the bottom, however, a well-crafted fake can still redirect you to a malicious site.
Even when the sender appears to be someone you know, if you aren’t expecting an email with a link or attachment, check with your friend before opening links or downloading attachments.
Beware of any downloads. If you don’t know the sender personally and aren’t expecting a file from them, you probably shouldn’t download it without verification.
Everyone is familiar with the “Nigerian Prince” scam. Remember that foreign offers are bogus.
What you can do to protect yourself
Suppress any requests for financial information or passwords. If you are asked to reply to a message containing personal information, it is a scam.
Refuse requests for help or offers of help. Legitimate businesses and organizations don’t contact you for help. Therefore, if you receive a request for help from a charity or organization that you do not have a relationship with, delete it.
Set your spam filters to a high level. Every email program has spam filters. To find yours, look at your settings options and set them to high. You should periodically check your spam folder to see if any legitimate emails have been sent there by mistake.
Secure your computing devices and phones. Install anti-virus software, firewalls, and email filters and keep them up to date. Configure your operating system to update automatically. Use an anti-phishing tool offered by your web browser or a third party to alert you to potential fraud.
Clever cybercriminals know that social engineering works best when it harnesses human emotions such as greed, fear, and curiosity. Taking advantage of human emotions is much easier than hacking into a network.