When most people hear about cyberattacks, they think about malware infecting computers. These types of hacks do occur. And you need the latest security technologies to defend your devices against them. But there is another dangerous threat that you must be aware of. It’s called social engineering.
Cybercriminals exploit human psychology to gain access to sensitive data. They use emails, social media, phone calls, and other channels to trick people into handing over valuable information.
Social engineering is an umbrella term covering a broad spectrum of threatening activity. Read on to learn about the most common types of social engineering and how you can protect yourself from it.
Phishing
Phishing is by far the most common social engineering comprising over 77% of attacks. Even if you’ve never heard this term before, you’ve likely experienced it. The most well-known is the Nigerian Prince scam. The story varies, but usually, a Nigerian prince promises you a lot of money in exchange for using your bank account. All they need is a few personal details to get started.
Phishing scams focus on three areas:
- Securing personal information like names, birth dates, and bank account information.
- Using shortened or fake links to direct the receiver to an infected website
- Making fraudulent urgent requests (like those the authorities use) to trick users into rushing to respond without thinking of security.
But every phishing email is different. In some cases, they are simple and easy to spot. Others are subtler. Some give themselves away because of grammar and spelling mistakes. More sophisticated criminals create identical landing pages that authoritative sites use. Only your credentials go elsewhere after submitting them.
Pretexting
Pretexting social engineering attacks focus on creating a good, trustworthy impression on users. They create a fabricated situation to steal little bits of personal information. The scammer pretends to be a trusted contact or representative of an organization. For example, the representative of financial institutions or your employer. They request tiny bits of harmless information like full names, birthdates, and addresses. Then they use this to commit identity theft or plan secondary attacks.
Pretexting revolves around building trust, not relying on urgency, and fear like phishing scams. The attackers establish a credible pretext that even savvy computer users believe. For example, criminals can impersonate IT admins to trick targets into giving user credentials. And it’ doesn’t happen only online. They can use the same tricks to convince you to let them into a building.
Baiting
Baiting has many overlapping features with phishing attacks. But instead of urgency and treats, baiting offers something to entice victims. These cybercriminals don’t promise massive amounts of money. Instead, they offer something more believable, for example, a free movie download, promo code, or similar. The goal is to trick users into giving over their online account details.
And these attacks don’t happen only online. In July 2018, KrebsOnSecurity warned of a CD-based attack. The goal was for users to load the CD into their computers to infect them with spyware.
Thus, be careful with free CDs and USBs. Always scan any physical devices you put into your computer. And never give personal information to someone you don’t know.
Quid Pro Quo
Something for something. You scratch my back; I’ll scratch yours. Like baiting, these attacks provide benefits in exchange for information. They’re usually related to services instead of goods.
A common and dangerous Quid Pro Quo attack in recent years has been the impersonation of the US Social Security Administration. Attackers claim there’s a computer issue in the SSA office, and users need to confirm their Social Security Number. Of course, then they use it to commit identity theft.
But these attacks aren’t always so sophisticated. In some cases, users have given up sensitive information for as little as a cheap pen or free virus scan.
Tailgating
Tailgating attack is less common but more dangerous. Many refer to it as “piggybacking.” Someone without proper authentication follows employees into a restricted area. In the physical world, it may be an attacker impersonating a delivery driver to enter the building. Just like that, the person lets them right in the front door.
It often happens in mid-size companies that don’t use keycards or similar security measures. One consultant even managed to set up an office and work there without getting noticed for days at a financial firm.
Tailgating can happen in the digital world, as well. When you visit infected websites or use insecure networks, hackers can follow your internet activity like a trail. They can then use other social engineering techniques to gain access to sensitive information. That’s why so many people connect to the internet through VPN servers to hide their IP address.
Protect Yourself Against Social Engineering
Malicious actors are all around you. Not only they lurk online, but also in public places and even private offices. But there’s no need to panic. Instead, learn how to protect yourself.
Like you’d use antimalware and antivirus software, you also need to learn the techniques to fend off social engineering attacks. As this digital consultant suggests, here are some of the essential strategies you need to follow:
- Verify all senders are who they claim to be. If unsure, call a person in question before sending them sensitive information via email.
- Never open links from questionable sources. If you receive a strange warning from Google or your email provider, that’s a sign of suspicious activity. Visit your account to make sure everything is okay, but don’t use the email links to do it.
- Don’t trust strangers. You never would in the physical world, right? So why do it in the digital one? When working with new contacts, make them supply information to verify identities.
- Never insert USB drives and other digital storage items without scanning them first. It includes your own drives, as well.
- Protect your internet connection with a VPN. Make sure you route all traffic through secure VPN servers.
- Lock your laptop, phone, and other devices when you’re away from them.
- Follow the privacy policy of your company and avoid letting strangers into your building. When in doubt, consult a supervisor.
Don’t let social engineering attacks threaten you. Protect yourself and start using these strategies right away.