What Is Social Engineering?
Who Uses It?
Criminals often use social engineering tactics because they are easier to exploit. Criminals can leverage natural instincts in humans to gain and maintain trust, which is easier than it is to hack software. A good example of this is passwords… meaning it is much easier to manipulate someone into giving you their password than it is for you to attempt to hack them.
The basis for security is knowing what and who to trust and it is important to identify when and when not to take a person for their word and to identify when someone has malign intent when communicating with them, or what their end goals are. This goes for online interactions and website or social media usage. When should you trust a website, and when is it safe for you to provide detailed, private, or protected information? In general, TriVault recognizes the weakest link in the security industry to be the human who accepts a person or a scenario for its face value. How useful are locks, bolts, and cameras, when you just invite the criminal into your home? The same question applies in the cyber security industry.
What Does a Social Engineering Attempt Look Like?
Emails from a friend
Criminals can manage to hack or socially engineer a personal email password, and in turn have access to that person’s contact list. Additionally, since people tend to re-use the same password everywhere, they probably have access to a bunch of other applications including social media and its as well. Once the accounts are under the criminal’s control, they tend to email or message that individual’s contacts.
These messages aim to take advantage of your trust, and often will:
- Contain a download of multimedia. Typically this is pictures, music, a movie, or a document, that has malicious software embedded or bound to it. If you download these files–which you are likely to do since you think it is from your friend or contact–you could become infected with malware. Once infected, the criminal has access to your machine and your accounts, and the cycle continues on.
- Contain a link for you to visit. Since you trust the individual sending it to you, you will likely visit it and be infected with malware.
Keep in mind that not all malware can be detected by anti-based software programs. A lot of malware is encrypted and can morph after use-cases so that security suites can’t pick it up. This can be leveraged heavily in social engineering schemes since people think just a password change will resolve the issue. That is not the case.
Emails from another trusted or “verified” source
Phishing attacks, containing logical scenarios to hand over credentials or other data, are sent from what appears to be a trusted source. These are often designed to look like they are coming from a trusted source. Phishing attacks are recognized as a subset of social engineering.
Social engineering schemes like this know that if they were to propose something that people want or need, a lot of people will take the bait. Creating a sense for urgency is often leveraged as well across all kinds of platforms, especially email and social media.
Realistically, those who take the bait of clicking these are infected with all kinds of malicious software that can further enhance or distribute a large number of new exploits against the victim and their contacts. Many may lose their money without receiving what they purchased from the scheme, or could find their bank account is empty if they were foolish enough to pay by check. It depends on how the scheme ends and what they are looking to achieve, but it really will never end well.
Avoid the traps
Phishing and social engineering attacks are successful if only a few users take the bait. While phishing attacks are typically rampant, they are short-lived and successful by preying upon those who are unwilling to practice proper security policies. Most of these campaigns, whether technical or in-person, don’t require anything more than just paying attention to minimal details in front of you.
Tips to Remember:
- Slow down. Spammers need you to act first and think afterwards. If the message conveys a sense of urgency or uses high-pressure sales tactics, then just be skeptical. Urgency can be a downfall.
- Research the facts. Be suspicious of any unsolicited messages, emails, or offers. If the details look like they are from a company you use, do your own research. Use a search engine to gather additional information.
- Don’t let a link be in control of where you end up. Stay in control by finding the website using a search engine to be sure you land where you intended. Hovering over links in your email client will show the actual URL at the bottom, but a good fake can still steer you wrong if you don’t know what to look for.
- Email hijacking is rampant and fast-paced. Hackers, spammers, and social engineers taking over control of people’s email accounts (and other social media accounts) has become excessive. Once they control an account, they prey on the trust of the person’s contacts or friends. Even when the sender appears to be someone you know or can even trust, if you aren’t expecting an email with a link or an attachment check with your friend or the individual before opening links or downloading files.
- Beware of any download. If you do not know the sender personally and are expecting a file from them, downloading anything is just a mistake.
- Foreign offers are fake. Money coming from overseas lotteries, distanced relatives that you never heard of giving you a lump sum, or some other magical way of obtaining a large amount of money is just not real.
Ways to Protect Yourself:
- Delete any request for financial information or your passwords
- Reject requests for help or offers of help
- Set your spam filters to high
- Secure your computing devices