You’ve been applying on various job sites when you receive an email—a recruiter is offering you a great position at above-market wages, citing the excellent resume that you’ve recently posted online. The email looks legitimate enough, if over-eager. You are directed to a link that takes you to the application site to fill out some information: name, birthday, address—what? You haven’t even had an interview.
Social engineers use human psychology paired with social media and hacking to deceive, manipulate and influence victims who lack the knowledge and awareness to avoid such encounters, according to global cybersecurity firm Kaspersky Lab. By invoking fear, urgency and, in the example with the fake recruiter, excitement, social engineers get what they want— usually data that enables them to steal information, identities and money. Users often undervalue the worth of personal details online, and so are more susceptible to these kinds of attacks. Names, birthdays, hometowns and pet names are helpful to hackers since they are often used in passwords and password retrieval programs. Social engineers use a multitude of attacks and scams that are very effective. Here are some of the most widely-used social engineering attacks:
Phishing refers to a malicious link sent via email, messaging or social media that tricks users into providing sensitive information or unleash a virus on their computer. They often claim to be a known contact, such as a reputable business or individual, and may even look legitimate with logos and official or friendly language. Some of the worst look like court notices, IRS refunds, job postings and package tracking. Phishing scams work because they pose a threat unless the user acts immediately.
Spear phishing is a more focused kind of phishing. It works because attackers have specific targets. Business executives and government agencies are prime victims of this more sophisticated phishing method not only because is their data high-security, but they are more likely to have a strong, researchable online presence that allows attackers to find vulnerabilities.
Another variant of phishing, whaling refers to “big prize” targets that have “big prize” information to steal, like business executives and government agencies. Attackers may send emails reporting false concerns based on available information online to gain confidential information.
Once a target audience has been identified, attackers can infiltrate a trusted webpage frequented by their targets and take advantage of weaknesses in the code. Their main goal is to force hyperlinks to redirect users to malicious websites designed to either release a virus or gather user information by imitating a legitimate page asking for personal information.
Some attackers want money over information. These popular scams typically send a fake system alert that scares users into clicking it, releasing a virus that encrypts all their data. Then, they offer to unlock it in exchange for the ransom. Never pay money if ransomware has compromised your system; this type of scam works because it reinforces the deal, and future victims will know that paying the money will indeed release their data. Instead, consult a local professional and help limit this kind of attacks.
Pretexting obtains personal information by creating a false pretext or scenario that builds trust in the victim so the attacker can exploit that trust to acquire desired information. With the help of social media, attackers can use knowledge about the individual to engage with them and further gain their confidence.
The promise of something good can be just as influential as fear or a threat. A tangible item or prize like a free music or movie download can be all it takes for malicious code to enter a victim’s computer. “Bait” isn’t limited to software—physical media like give-away USBs can also hold malware.
Quid Pro Quo
Similar to baiting, quid pro quo offers a benefit or service in exchange for information or access. A common tactic is for a hacker to impersonate an IT worker asking a user to deactivate their anti-virus software so that they can install an update when, in reality, they are installing malware.
With so much personal information floating around via social media, hackers can find easy ways to attract targets with a little research. Personal information and interests can all be adapted to hack user passwords or steal an identity. User-targeted ads and comments that lead to malicious sites are other frequent methods of attack.
Outside of the digital realm, social engineers sneak into unauthorized locations using psychology to steal information as well, also known as “piggybacking.” Often, offices are compromised by attackers posing as couriers, package deliverers or caretakers to gain access to a restricted area. They can ask for help getting through the door with their hands full or strike up a conversation with an employee and feign familiarity to get through doors by relying on others’ desire to be nice or friendly.
Awareness and Security
Avoidance begins with awareness and education. Some identifying features of social engineering are:
- Suspicious emails, URLs and attachments. Don’t open anything from an untrustworthy source. Hover over URLs to ensure hyperlinks match. A quick call to the supposed sender can usually reveal an imposter posing as your bank or acquaintance.
- Poor spelling and grammar. Less sophisticated attacks abound with language errors. Sometimes, a quick copy-pasted segment in quotation marks on Google will reveal others who have been similarly attacked.
- If it seems too good to be true, it probably is. Never trust a stranger asking for personal information, even if they promise something good in return.
However, just knowing about common attacks and scams cannot stop an actual infiltration.
- Utilize reputable anti-virus software and firewalls to keep out viruses and safeguard information and documents.
- Always lock your computer before walking away from your desk.
- Require two-factor authentication for higher-security information and higher-ups who work with such information.
- Regularly back up data to prevent complete loss in case of an attack.
If you are concerned your employees could be susceptible to a social engineering attack, you may consider testing your employees with a social engineering test done by a third party to keep them vigilant.