What Is Social Engineering?
Social engineering is a common form of hacking that is used to gather sensitive information from a target that would otherwise not be disclosed. This form of hacking is done using psychological triggers and interacting directly with a target to trick them into providing information without their knowledge. Just like talking, this is not a one-step method, usually, it takes several steps to slowly gain the trust of the target so they reveal what it is we are looking for. On average, this is usually a four-step process as you can see from the diagram below. The first step is to gather information through research or other means. The next step is to hook the victim or victims and try to gain their trust so you may get sensitive information that they would not otherwise reveal, which is usually done with a believable story. Step three, it is better to give the target some time to process everything and follow up with them later so you can establish a relationship. By doing so you can ask targeted questions that you are looking for answers for such as personal information like security codes, pins, credit card numbers, account access, etc. Lastly and most likely the most important part is to exiting the interaction without being suspicious.
Like in every system the weakest and most vulnerable component is the human element. As humans, we have the option, we can disregard rules and offer up information based on logic and/or emotion, which can be deceived easily. Unlike software systems that are created, it is harder to predict what a user/users think and will do. Because of that, there is not a patch or security rule we can apply that can fix or prevent social engineering attacks.
What Are The Different Social Engineering Attacks?
Just like computer hacking, there are several types of social engineering attacks. A few we will talk about are baiting, scareware, pretext, phishing, and spear phishing.
- Baiting – this type of attack is just like it sounds. It is a bait and is meant to pique the curiosity of the victim into doing something they otherwise wouldn’t. This can be either a physical bait or a virtual bait. For example, a physical bait could be a person leaving a flash drive or cd with data on it labeled with sensitive information peaking the target/victim’s curiosity and having them put it into a device to view the data. An example of virtual bating could be when the target/victim sees a blog or post offering free software such as office or windows and they click on it to download the product and in both cases, it could embed a virus, malware, or something else into the device providing the hacker with full control of the necessary data and/or system.
- Scareware – this type of attack is one of the most common forms that most if not all users have encountered at least once. Scareware shows a pop up on a website or your computer stating you have been hacked or a virus has been found and to fix the virus and clean your computer you must either install software or call a company so they can install the software a clean everything for a fee. This type of hack can also be distributed through an email.
- Pretext – this is another common form of attack that tries to get personal with the target/victim. Usually by stating they need sensitive information to confirm their identity or by saying they need the information to perform a critical task. A common example of this type of attack is the IRS phone scam which tries to make you pay money and, in the process, makes you confirm your identity such as an address, social, phone, etc.
- Phishing – This is could be one of the most popular hacks of them all, this method sends out an email to several victims stating their account is at risk and they must update their settings in order to secure it. Common examples anyone with emails have seen are Facebook alerts saying your account has been hacked and you need to update your account or your password needs to be updated and because these emails look near identical to emails from the actual source, most people do not give it a second thought, and update or login to their existing account through the link provided in the email, which in result, provides the hacker with the appropriate information.
- Spear Phishing – This type of social engineering is almost identical to phishing but much more targeted to a specific individual or company. For example, rather than making an email that says “Your Facebook Account Was Hacked” and providing a legitimate design that can be applied to anyone it would be more personable like “Hello James, Your Facebook Account Was Hacked. Please Update Your Credentials ASAP”. As you can tell because the person’s name is in that sentence it is a much more personal email which alternatively adds a bit more trust compared to the generic phishing method.
How Can You Protect Yourself From Social Engineering?
There are several ways to protect yourself from social engineering. We will try to give you an example of how to prevent each attack mentioned above.
- Baiting – The easiest way not to fall for this trap is to reduce your curiosity. For example, if you see a USB or CD sitting on the table and it is not meant for you it might be a good idea not to take it. If it is meant for you, it is most definitely a good idea to confirm who left it on your table as an additional verification method.
- Scareware – One thing to keep in mind is Microsoft/Google/Facebook or anyone else will never contact you directly telling you that your computer is infected with a virus. They do not have the time nor the resources to spread themselves that thin. If you see any screen that states something along those lines other than from your antivirus software installed on your system it would be a good idea to contact a person that may be a bit savvier with a computer to confirm it is actually a virus and not scareware.
- Pretext – Just like the recommendation above, the IRS/Bank/Police will not directly contact you over phone or email. DO NOT FALL FOR THIS. This method is definitely something that is very common amongst the older generation so keep an eye out for it. If any of the government companies are reaching out to you it would either be via mail or direct contact.
- Phishing/Spear Phishing – Always look at the email that is sent to you a second time before clicking on any of the links found in the email. Always hover over the link or copy the link and verify the email is from the actual source. For example, if you see a link from Facebook stating you need to reset your password or anything of that sort, hover over the link and make sure it has https://something.facebook.com/blahblahblah as you can see the bold portion is important because that is the domain name (website). Anything, before the domain name is a subdomain which is like a page on the website, so if that bold portion is anything other than Facebook.com then it is most likely a phishing attack. If you are not sure the best way to go about this issue is by directly going to the source website and manually changing your password or updating the details asked for rather than clicking a link through the email.
- Antivirus/Antimalware – Always have some sort of antivirus/antimalware installed on your computer and make sure it is always up-to-date. Remember as technology advances, so do threats.
- Two-Factor/Multi-Factor Authentication – We recently wrote a blog about this and how important it is to have this enabled. In the event, you fall for one of these traps and even if you accidentally provide your sensitive information or password to a hacker, if you have this enabled it could help protect your account from being accessed as you need the additional key to access the account.
- Bitwarden/Lastpass/Etc (optional) – Get a password manager and keep all your information in there. This will be ideal because not only can you create a sophisticated password you wouldn’t need to always remember but every account you have could be different and you could use one password to remember them all. On top of that as long as you add the 2FA/MFA to your accounts you have a security that is going to be really tough for any hacker to break through and crack.