Among cybersecurity professionals, there is a new term thrown around often regarding criminal activity called “social engineering,” but what does it really mean for you?
What is Social Engineering?
Social engineering is a psychological tactic used by criminals to trick you into giving away personal information or access to something valuable. It is essentially a sophisticated manipulation technique. These attacks can be in person, online, or through other communication mediums like email, chat, and online forums.
Typically the criminal’s goal is to either disrupt operations, corrupt data, or steal money or other valuable information for sale on the dark web.
How Do Social Engineering Attacks Work?
Instead of using intimidation or threats, social engineering attacks work as the attacker motivates you to give them what they want. They will first establish communication with you and then continue working on you until you have compromised yourself without even knowing it. They do this using an organized system:
- Preparation: First, they gather as much information about you as they can to use in their campaign.
- Initiate Contact: Then, they establish a relationship with you by initiating contact either through email, text, phone, or some other method.
- Exploitation: Once they feel they have gained your trust, scammers go in for the kill and get whatever it is they are after.
- Disengage: After they have what they need from you, they will disappear.
These attacks can last a few days up to several months, depending on how long it takes for them to gain your trust. Keep in mind; hackers use the tactic of confusing their victims, so you don’t even realize what is happening.
Sometimes they pretend to be the IRS or an IT professional who wants to help you clean a malware infection off your computer. Cybercriminals use emotional reactions to catch you off guard. They often try to evoke the following emotions because they know if you are in a heightened emotional state, you are less likely to question their motives, and you might just make a mistake that wins them the day.
Some of the emotions they prey on are:
- Excitement - they might tell you, you have just won a big prize.
- Fear - spammers call threatening to be from the IRS and say you will be arrested if you don’t pay now.
- Curiosity - phishing emails from COVID-19 cures and all sorts of other intriguing tidbits may pique your interest.
- Anger - they might send you propaganda to get you angry enough to start talking.
These types of attacks often have a sense of urgency attached to them. For example, they may use wording like “you are one of the few people selected for this amazing opportunity, but you have to act fast.”
Some common social engineering tacts include:
You see, an ad on social media that promises a massive ROI on an investment and greed takes over, so you click. Fake ads are just one way attackers lure you in with the promise of something great that will never happen.
When you get a pop-up on your computer saying it’s infected with spyware and you have to clean it fast, this is an example of scareware. Many victims receive phone calls saying that their computer is infected, and Microsoft is calling to help. They are not; it’s just scammers wanting your credit card details.
Pretexting is when a scammer pretends to be someone of authority such as the police, your bank, or a co-worker. They may ask you personal questions, that you answer to verify your identity, but all you have done is open yourself up to identity theft.
Phishing is one of the most prevalent ways criminals try to get you. They may send you an urgent message about your account or ads to get you to click on something. If you do, your device may be infected with malware, spyware, or ransomware. At the very least, you may also lose personal information or even money.
Much like target marketing, spear phishing is when hackers target a specific group using messages that will appeal to them. For example, during the election, they might send democrats messaging to imply that their voter registration was inaccurate, and they had to fix it quickly, or they won’t be counted. This type of attack would provoke panic, and innocent victims might click and fill out details on an online form before they even realize what was happening.
How to Protect Yourself from Social Engineering Attacks
The best way to protect yourself from social engineering attacks is common sense and living on the defensive. Don’t immediately trust anything that arrives via email, unsolicited phone calls, or anything you see online. Some other tips to stay safe are:
- Don’t open an email attachment, and never click a link inside an email.
- Always sign up for multi-factor authentication when offered.
- If something sounds too good to be true, it is; walk away.
- Always keep your devices updated with the latest security patches and good antivirus/anti-malware software.