How to Identify and Protect Against Social Engineering
The internet is a vast, complex network that connects the world in ways never dreamed possible prior to its invention in 19806 by Vinton Cerf and Bob Kahn. Unfortunately, there are bad actors on the world wide web and beyond who are working hard to find the most convincing ways to manipulate people and take advantage of them. Those of us who used the internet in the early 2000s knew that likely the most dangerous things on the internet were scary people in chat rooms and viruses from websites like LimeWire (although downloading the new Backstreet Boys songs felt worth the risk). Things have evolved. Crime has become more sophisticated, and it has become much more difficult to discern truth from fiction and safe interactions from potentially dangerous ones. Like chat rooms, Social Engineering poses a unique threat to people because connection and humanity are used as lures.
What Is Social Engineering?
A few years ago, my grandmother received a call from a man claiming to be my cousin. She felt something was off because he called her grandma instead of the pet name we all have for her. Regardless, once he shared his story, she became so concerned that she forgot about the wrong name. The caller told her that he was in trouble and needed her to drive to a pharmacy in the next town to bring gift cards and money to give to the police so he wouldn’t be arrested. There were red flags all over the place. Luckily, my grandmother realized that this was a scam and she refused to talk to them. She then called the police. When a scammer appeals to a person and their humanity or their good nature, the attack is classified as social engineering.5 Of course attacks occur not only over the phone but also online. Email attacks are fairly common, and phishing happens regularly. Phishing is an email attack in which the sender tries to secure personal information from the recipient with the intent to steal money or their identity. "Human hacking”5 is a term used for social engineering because the information that is stolen comes directly from human-to-human interaction.
How does social engineering work?
There are multiple social engineering attacks that are employed by criminals. The most common attack we will focus on in the bulk of our discussion is phishing. However, it’s important to understand the basic premise of each attack type in order to protect yourself. Below are common examples of how these social engineering attacks1 occur.
- Phishing: Clicking on a link in an email is a common way attackers gain access to sensitive information. Many times, attackers pretend to be someone you can trust in order to lure you into clicking.
- Malware: Downloading malware typically happens by accident—users are led to believe that they must download a program for a pressing reason. The software then infects the computer.
- Baiting: If you receive a promise of a prize or monetary gain in exchange for your personal information, you’re likely being baited.
- Quid-Pro Quo: Victims believe their attacker is a trusted individual in these attacks such as a tech expert who is lending a hand with a question.
- Tailgating: Allowing someone to follow you into a building or secure area rather than them needing their own credentials or badge, for example, can allow tailgating to occur.
- Vishing: Have you ever received a voicemail from someone who said they were with the IRS or an official office? Likely the caller was a criminal attempting to attack you via vishing aka voicemail phishing.
- Spear Phishing: Like phishing, clicking on links is the gateway for bad actors. However, just like in real fishing, spear phishing goes after big fish like companies and involves more precision from the criminals.
- Water-Holing: A water hole brings people or animals in to take a drink. Likewise, a water-holing attack draws unsuspecting people in by posing as a legitimate website that is actually infected with malware that can give criminals access to your computer and secure information.
- Pretexting: This is when the bad actors flex their acting skills. They will pretend to be someone you can trust or regularly do business with to gain access to your personal information.
What do all of these examples and scenarios have in common? Human emotion. Criminals are preying on their victims’ humanity and their desire to help take care of a problem or protect themselves. Criminals utilize urgency and scare tactics that make people take quick action without thinking through the possible dangers or even whether or not they can totally trust the person requesting the information.
Protecting Against Social Engineering
The best way to protect yourself from social engineering attacks is to take your time when making decisions online and elsewhere. Anyone who is rushing you to do something that isn’t part of your daily routine should be assessed fully before trusting them. Keep in mind that legitimate businesses are just as aware of the dangers of social engineering and they are actively working to protect their customers from the bad guys.
Phishing attacks4 put your most personal information at risk like identification numbers, banking information, and your passwords which can lead to complicated problems that can be quite difficult to rectify. My mother-in-law once received a phony email from someone claiming to be the FBI and asking for money. The email address was a Gmail account which raised a red flag and prevented her from proceeding, but vulnerable people who are, perhaps, less internet savvy or aware of the types of attacks out there can fall victim to this type of phishing.
One of the most important ways you can protect yourself from attacks like phishing is to install software that monitors for attacks. The second most important thing you can do, as mentioned before, is take pause when responding to emails or requests for information or payments. If something feels off, it might be. You can always call the company that is asking for information using the phone number you know and trust to be accurate in order to verify the legitimacy3 of any requests you receive. Again, since many companies are doing their part to prevent fraud, they will be happy to help you and most would never ask for sensitive information out of the blue.
Social Media and Speedy Cash
Social media is another place to watch for these types of attacks. Speedy Cash works hard to monitor our social sites to create an informative environment for all our customers. However, beware of scammers who may create false social media pages, impersonating us via pretexting. Learn to protect yourself! We want to make sure that customers understand the importance of carefully considering anyone who claims to be an expert or is posing as a company online. Speedy Cash will never ask for your personal information via social media nor make direct offers to you via social media. The internet can be a little scary, but as long as you keep your eyes open, ask questions, and stick to websites you know and trust when sharing personal information, it can become a little safer. However, never let down your guard.
Sources:
1Terranova Security (2023, Apr 14). 9 Examples of Social Engineering Attacks Retrieved from: https://terranovasecurity.com/examples-of-social-engineering-attacks/
2Harvard Business Review (July-August 2013 issue). The Uses (and Abuses) of Influence Retrieved from: https://hbr.org/2013/07/the-uses-and-abuses-of-influence
3Cybersecurity and Infrastructure Security Agency (CISA) (2021, Feb 1). Avoiding Social Engineering and Phishing Attacks Retrieved from: https://www.cisa.gov/news-events/news/avoiding-social-engineering-and-phishing-attacks
4Microsoft What is Phishing? Retrieved from: https://www.microsoft.com/en-us/security/business/security-101/what-is-phishing
5IBM What is social engineering? Retrieved from: https://www.ibm.com/topics/social-engineering
6Hogeback, Jonathan Who Invented the Internet Retrieved from: https://www.britannica.com/story/who-invented-the-internet#:~:text=Computer%20scientists%20Vinton%20Cerf%20and,referred%20to%20as%20the%20Internet.