10 Things You Need to Know about Social Engineering
7 Nov 2016
We’re all familiar with the “WarGames” or “Tron” image of internet criminals: sophisticated, gadget-savvy, mysterious. But most hackers don’t rely on gadgetry or getaway cars at all. Instead, they use a simple – yet staggeringly powerful – trick of the trade: psychology.
Using psychological tools to manipulate users into giving up confidential information is called social engineering. And though it often seems like social engineers come up with new and ingenious tactics every day, there are a few easy steps we can take to guard against their traps. Just like how your parents told you not to open the door for a cop until she shows you her badge, the first step is being aware, and knowing what to look for.
1. Scammers exploit your best qualities.
Hackers who use social engineering to go after users’ information know that people are generally kind and curious – and take advantage of it. It’s common for scammers to send emails with subject lines such as “Help – in trouble!” that go on to ask the user for money, or “An easy way to improve your memory” with a link to a site that installs malware onto the user’s computer.
2. But they also exploit your worst qualities.
On the other side of the coin, hackers are also deeply aware of the less-good qualities in all of us. Bold, flashing lights that appear on websites and warn “download this antivirus in twenty seconds, or your computer crashes!” prey on our fear, while emails from long-lost relatives with a million dollars to spare prey on our greed. If it’s too good to be true, it’s probably malware.
3. Be wary of suspicious emails from friends’ accounts.
Once a scammer has secured your friend’s password (or set up a fake email address that looks like your friend’s), they can wreck havoc on their contact list. If a friend sends you an email that doesn’t sound quite right or contains a weird, suspicious link, don’t open it.
4. Scammers’ messages usually tell an elaborate story.
Hackers know that people respond to good stories. As such, they use a method called pretexting to set up a story that motivates you to do what they need to get your information. A friend urgently needs you to wire them money; a website needs you to verify your information by clicking a link and providing your Social Security number; you’ve just won a million dollars, if you’ll only click on this link to claim it…
5. Social engineers know what you want.
Similar to pretexting, scammers use a method called baiting to steal users’ information. Baiting is exactly what it sounds like: promising you a link to download a movie that hasn’t come out yet, for example, or free antivirus software. Once you go to claim your prize, the hackers can nab your credit card information.
6. Fraudsters like to emulate the good guys.
Savvy fraudsters who engage in quid pro quo attacks impersonate credit card companies, IT service people, or even the IRS to get their hands on your information. For example, a scammer might give their target a call to offer free antivirus software. Once the user installs the software, the fraudsters can take over their computer.
7. Scammers often rely on carelessness.
More sophisticated and nefarious scammers can get their hands on sensitive data by tailgating, or following an authorized person into a secure area. They simply wait for an employee to swipe their ID card, and then follow closely behind them.
8. Slowing down is half the battle.
Most of us have been victims or near-victims of phishing attacks: links, images, documents, or music file that, once clicked, infects your computer with malware. Instead of immediately clicking on emailed links, take a second to stop and think about the authenticity of the email.
9. Use good passwords to foil potential scammers.
Most fraudsters are looking for an easy target. They don’t have the time or resources to risk going after a savvy Internet user. So…be a savvy user! Use sophisticated passwords and multi-factor authorization to keep your information safe, and change your passwords often.
10. Pay attention to accounts and account activity.
Monitor your accounts closely for suspicious behavior, like someone logging into your email account from across the country. If something doesn’t look quite right, change your passwords.