What is Social Engineering?
Social engineering refers to the ways a cyber criminal manipulates individuals into giving away access or personal information that can be used for fraudulent purposes. Put simply, it is a thief tricking you into thinking you know and/or trust who they are so you do what they want. Falling for one of them can result in your identity being stolen, your money being stolen, or your information (photos, files, etc.) being held for ransom until you pay.
Read below for the 5 most common types of social engineering scams, along with ways to outsmart them.
Phishing is the most common type of fraud. It is typically delivered in the form of an email, chat, web ad, or website designed to impersonate a real system or organization. Often crafted to deliver a sense of urgency and importance to get you on the hook, the message within these emails often appears to be from the government or a major corporation and can include logos and branding. (A recent example targeted Netflix customers.)
How to Avoid:
Think before you click! If you did not expect the message, go ahead and be skeptical of it. If it is asking you to go to a website to “verify” or “update” your information before some drastic action takes place, you can be downright suspicious. Hover your mouse over the link–but do not click. Check that the link information looks valid, i.e., matches the company it’s supposed to go to and does not have any spelling mistakes or strange characters in it. Then, even if you think the link looks okay, open a browser window and go to the company’s website by typing it in or searching for it. Do not use the link in the email. When legitimate account updates are required, you can always log in on your own and see what messages are waiting for you.
In keeping with the fishing lingo, baiting involves offering something enticing to an end user in exchange for private data. The “bait” comes in many forms, both digital – such as a music or movie download, and physical – such as a branded flash drive labeled “Executive Salary Summary Q3 2017” that is left out on a desk for someone to find. Once the bait is taken, malicious software is delivered directly into the victim’s computer.
How to Avoid:
Remember those too-good-to-be-true club deals that offered 10 CDs or books for a penny? Then it turned out that you were secretly agreeing to a membership requiring you to buy a certain number of products at full (overblown) price that usually cost hundreds of dollars in total? Think of baiting like that. If it’s not something you asked for, and it seems like something-for-nothing, then you should probably just ignore it. And no one should EVER install a CD or thumb drive into a computer (especially at work) without knowing who it is from and what is on it. That’s a good way to take down your entire network.
3. Quid Pro Quo
Similar to baiting, quid pro quo involves an exchange, usually a request of some private data in order to receive a service. For example, an employee might receive a phone call from the hacker posing as a technology expert offering free IT assistance in exchange for login credentials.
How to Avoid:
While perhaps not as creepy as Hannibal Lector from the Silence of the Lambs, quid pro quo can still cause horrors. Treat these unsolicited phone calls the same way you would those phishing emails: thanks but no thanks. No reputable business offering their services would expect access to your system, so don’t give anyone your login credentials.
If the service is something you are interested in and they are not asking for login credentials, search for the name of the company while you are on the phone with them. Ask questions about how long they’ve been in business and who else they’ve worked with so you can follow up with people you know and trust. You can also ask them to mail more information and be sure to use your business’s public mailing address. Do not give out your email address. Hackers can probably find it, but you don’t have to make things easier for them.
Pretexting is when a hacker impersonates a co-worker or figure of authority within the company in order to gain access to private data. For example, a hacker may send an email or a chat message posing as the head of IT Support who needs private data in order to comply with a corporate audit (that isn’t real).
How to Avoid:
This one can be very difficult to spot. Especially in large companies, you may not personally know all of your coworkers. Ask yourself then, why would a coworker need to know your mother’s maiden name, your bank, or your pet’s name? It should automatically raise suspicion for anyone to ask for your SSN or any account numbers (and you shouldn’t answer), but issues can become cloudy if a hacker sounds like a friend who just wants to know which phone company you use.
The easiest way to be sure is to get up and go see them face-to-face. When that isn’t possible, you can shoot the person a text or email if the pretexting came in as an unsolicited call. Conversely, you can call someone who emails. Any legitimate projects at work should be verifiable by someone else in the company, and you should always be able to check with your HR department on issues requiring your private information.
When an unauthorized person physically follows an employee into a restricted corporate area or system, they are tailgating. The most common example of this is when a hacker calls out to an employee to hold a door open for them as if they’ve forgotten their RFID card. Another example of tailgating is when a hacker asks an employee to “borrow” a private laptop for a few minutes, during which the criminal is able to quickly steal data or install malicious software.
How to Avoid:
The best way to avoid allowing this kind of criminal access is by knowing and following all of your company’s security policies. If you work in a secure building, don’t hold the door open for people you don’t personally know and work with. If they also work there, they should know better than to ask you. The same goes for sharing equipment: if your company policy does not allow it, simply state that when asked and direct the person to a public access area or appropriate department head or security officer. No one wants to be rude or unfriendly, but security policies exist for very good reason and should always be followed.
One final reminder for all of these scams is to tell your IT team! Trust your instincts when something ‘doesn’t seem right,’ and let your technology specialists know about it. You can protect your company and possibly even keep that scam from bothering any of your coworkers, too. You can also send us any other cyber security questions you may have. We’re here to help keep you and your data safe.