Protecting Yourself Against Social Engineering
What is Social Engineering?
Social Engineering is a method that bad actors will use to trick people into giving them sensitive information or access. The types of information these criminals are seeking can vary. Criminals use social engineering tactics because it is usually easier to exploit your natural inclination to trust than it is to discover ways to hack your software. For example, it is much easier to fool someone into giving you their password than it is for you to try hacking their password (unless the password is really weak).
Why do they do it?
The most common use of social engineering is to steal information, whether this is your personal information, a password, or banking information.
However, sometimes they are seeking to get access to information like customer records, research data, or other resources you may have access to. A form of social engineering called Business Email Compromises is when a bad actor pretends to be a vendor or someone you frequently make payments to. They advise you that they need you to send the money to a different account because of "business changes on their end"—and then abscond with your money.
Types of Social Engineering
Scareware
As the name indicates, scareware is malware that’s meant to scare you to take action — and take action fast. It often comes in the form of pop-ups or emails indicating you need to “act now” to get rid of viruses or malware on your device. In fact, if you act, you might be downloading a computer virus or malware.
Email hacking and contact spamming
It’s in our nature to pay attention to messages from people we know. And social engineers know this all too well, commandeering email accounts and spamming contact lists with phishing scams and messages.
If your friend sent you an email with the subject, “Check out this site I found, it’s totally cool,” you might not think twice before opening it. By taking over someone’s email account, a social engineer can make those on the contact list believe they’re receiving emails from someone they know. The primary objectives include spreading malware and tricking people out of their personal data.
Phishing
Phishing is a well-known way to grab information from an unwitting victim. How it typically works: A cybercriminal, or phisher, sends a target amessage that’s an ask for some type of information or action that might help with a more significant crime. The ask can be as simple as encouraging you to download an attachment or verifying your mailing address.
Vishing
Just like phishing, bad actors will try to engage victims using phone calls. This could be pretending to be a service representative from a company or the help desk, or it could be an automated message asking you to enter information via your phone's keypad.
Smishing
Again, just like phishing, but leveraging texts that contain malicious links.
Baiting
Baiting is built on the premise of someone taking the bait, meaning dangling something desirable in front of a victim, and hoping they’ll bite. This occurs most often on peer-to-peer sites like social media, whereby someone might encourage you to download a video or music, just to discover it’s infected with malware — and now, so is your device.
It could also involve creating a USB stick that has malware on it. They may leave it in a public area hoping to play on your curiosity. Some bad actors have sent these malicious USBs through the physical mail under the pretense that it's "promotional material." A target who takes the bait will pick up the device and plug it into a computer to see what’s on it. The malware will then automatically inject itself into the computer.
Pretexting
Pretexting is the use of an interesting pretext, or ploy, to capture someone’s attention. Once the story hooks the person, the social engineer tries to trick the would-be victim into providing something of value. Oftentimes, the social engineer is impersonating a legitimate source.
The classic example of this is the Nigerian Prince scam, or an inheritance scam where you need to provide some information or access to facilitate the transfer or money.