“Social engineering” is a newer term for an age-old pursuit: tricking people. Whether you use the modern-day terminology or opt for longer-standing classifications (like conning, hustling, and swindling), the result is the same. Scammers aren’t afraid to tell lies— and they often get what they want just by asking for it.
Social engineers take advantage of human tendencies to be open and trusting. All successful social engineering attacks have one thing in common: Someone believed something they shouldn’t have.
Cybercriminals use social engineering as the most common way to steal information and money. Social engineering is at the heart of all types of phishing attacks—those conducted via email, SMS, and phone calls. Technology makes these sorts of attacks easy and very low risk for the attacker. Make sure you’re on the lookout for these variants on the traditional, mass emailed phishing attack:
- Spear-phishing: This kind of attack involves often very well-crafted messages that come from what looks like a trusted VIP source, often in a hurry, targeting those who can conduct financial transactions on behalf of your organization (sometimes called “whaling”). The subject of these message is typically vague but will grab your attention because the sender’s name is one you recognize in a position authority. Keep an eye out for messages with subjects like “Hi or Hello ”, “Are you available?”, “Urgent request”, etc.
- SMSishing: Literally, phishing attacks via SMS, these scams attempt to trick users into supplying content or clicking on links in SMS messages on their mobile devices. Flaws in how caller ID and phone number verification work make this an increasingly popular attack that is hard to stop.
- Vishing: Vishing (voice phishing) is a form of criminal fraud conducted over the phone. Vishing attacks typically attempt to gain access to private personal and financial information to reap financial rewards. But threat actors also use vishing calls to gather information about an organization and its employees in sophisticated, targeted “spear vishing” attacks. Like any good production, a vishing attack is designed to connect on an emotional level. Attackers will try to coerce you into making bad decisions, inventing scenarios that might make you feel fear, concern, or Attackers will often appear to be calling from a local number close to yours. As with SMiShing, flaws in how caller ID and phone number verification work make this a dangerous attack vector.
But there is good news: If you are targeted, you are always in control. Don’t fall for the trap and the attack falls flat. Use these five tips to stay one step ahead of social engineering.
#1 Don’t Take Things at Face Value
This piece of advice can serve you in many ways, including the identification of social engineering traps. Social engineers need to win your trust, and they try to lure you in by creating a false sense of security:
- Phishing emails, smishing (SMS phishing) texts, lookalike websites, phony letters, and other communications might include names and logos of well-known brands to appear believable. Scammers know these visual cues can work to their advantage.
- Sender addresses and caller ID numbers can be spoofed— that is, disguised to look like an email or call is coming from a trusted contact. In some cases, incoming calls can even appear to be coming from your own phone number.
- Attackers sometimes pose as service technicians, prospective customers, and even law enforcement officers. Uniforms, badges, and business cards are easy to fake—and these simple efforts often pave the way for unauthorized access.
- Remember this: Surface clues are not enough to prove legitimacy. You must dig deeper.
#2 Ask Questions
Social engineering is often about finding the right motivation—and getting people to act in hurry. It’s important to pause and think before you give information or grant access to someone you don’t know. You should ask potential imposters questions to verify their identities, but you should also question yourself:
- Am I being pressured to act in haste?
- Am I certain this person is who he/she claims to be?
- What are the potential ramifications if this is a social engineering attack and I fall for it?
- Above all, you should feel comfortable and confident before acting on a request.
#3 Do Your Own Due Diligence
Let’s be perfectly clear: The most successful social engineers are savvy, persistent, and prepared. And they do their homework before perpetrating an attack. But if you are ready and willing to do your own digging, you can beat them at their own game. Here are some examples:
- Before interacting with an email, text, or social media message, go to the source. Visit a known website or call a trusted phone number to confirm an offer or request for information. Contact friends or colleagues to verify any out-of-character messages or social posts.
- Disconnect from any unsolicited call before providing sensitive data (like credit card numbers or details about customers and colleagues). Use a verified number to confirm an offer or request.
- Before granting unknown service providers or visitors access to your home or business, confirm they are who they say they are by contacting the organization they claim to work for.
#4 Don’t Be Afraid to Say ‘No’
Social engineers know that most people are non- confrontational with strangers. They know it’s in people’s nature to be accommodating and avoid awkward conversations. That’s why techniques like the following work so well:
- Eavesdropping on private conversations
- Shoulder surfing, which is peering over someone’s shoulder to spy on private PINs or other actions
- Tailgating or “piggybacking” behind someone through a secure entrance
Fight against that nature when the need arises. If someone you don’t know wants you to hold open a secure door, ask to see their access credentials. If you catch someone snooping as you’re entering confidential information into a computer or financial terminal, report them to security (and, if needed, change your password). Coming out of your comfort zone could protect you and/or your organization from a social engineering attack.
#5 Allow Yourself to Be a Little Paranoid
You don’t need to distrust everyone and everything, but it doesn’t hurt to allow yourself to be a
little paranoid when dealing with people you don’t really know. This is particularly true for faceless communications, like email, text messaging, phone calls, and social media posts.
Yes, many social engineers are at the top of their game. But a healthy dose of skepticism can help you stay alert to even the most sophisticated tricks and traps.
The Report a Phish button easily allows you to report email you believe is phishing to Information Security directly from your O365 or University Gmail account. Watch this video to learn how.
Don’t’ get hooked. #BeCyberSmart