Protecting your privacy takes more than running a privacy-oriented Linux distro and using a password manager. Many security experts believe the weakest link in any system is the human that operates it.
In this article, we’ll learn what social engineering is and why it is such a threat. Then we’ll look at some of the social engineering attacks that bad guys can use against you, both online and offline. We wrap it up with a few tips for protecting yourself from social engineering attacks.
What is Social Engineering?
Merriam-Webster defines social engineering as the “management of human beings in accordance with their place and function in society.” That sounds a little creepy in itself. But in recent years, the phrase has taken on a more manipulative, sinister meaning.
Today, social engineering means something like “manipulating people to give you confidential information.” When we talk about social engineering here, this is the sense that we’re using.
Why Social Engineering is Such a Threat
Criminals use social engineering because it is easier than hacking into a computer system. Tricking someone into telling you something they shouldn’t is relatively easy. Most people are trusting of others.
It doesn’t matter how secure your computer system is. Or where you stashed your personal documents. Or how many guards are in front of your offices. Social engineering attacks sidestep all that.
Famous ex-hacker Kevin Mitnick often used social engineering attacks to get into “secure” computer systems.
“Anyone who thinks that security products alone offer true security is settling for the illusion of security.” – Kevin D. Mitnick, The Art of Deception: Controlling the Human Element of Security
Criminals use social engineering attacks, both online and offline. Now we’ll look at some of the most common types of attacks and what you can do to defend yourself against them.
Let’s start with some of the online social engineering attacks beloved by hackers.
“A hacker is someone who uses a combination of high-tech cyber tools and social engineering to gain illicit access to someone else’s data.” – John McAfee
Some Online Social Engineering Attacks
Here are a few of the most common online social engineering attacks:
- Spear Phishing
According to the Department of Homeland Security website, a phishing attack “uses email or malicious websites to solicit personal information by posing as a trustworthy organization.”
You’ve seen this kind of attack. We all get emails from official-sounding organizations claiming there’s a problem with our account, or they need to verify our credit card information.
The goal is to get you to click on the link in the email. That link will take you to a legitimate-looking, but phony, website for the organization. The website will be set up to trick you into entering your credit card data, Social Security number, or whatever it is that the crooks want to steal.
Spear phishing is a type of phishing attack where the attacker customizes the phishing email using personal information about the intended victim. In December 2018, the US Internal Revenue Service (IRS) published a warning about several spear-phishing scams.
These scams were meant to gather the information that goes on IRS Form W-2. The target for these scams was small businesses. The bad guys would use the information to open credit card accounts, file fraudulent tax returns, open lines of credit, and so on.
Spear phishing attacks rely heavily on Pretexting attacks. We cover Pretexting attacks in the next section.
Baiting attacks are somewhat similar to phishing attacks. The difference is that baiting attacks offer the target something they want instead of resolve a problem. In these kinds of attacks, you might get offered free music, copies of new movies, or any other kind of prize. To get the prize, you would be required to enter whatever type of personal information it is that the crook is after.
Baiting attacks can also occur offline. One such attack involves leaving USB sticks lying around somewhere employees of a target company might find them. The chances are good that someone will pick one up and plug it into their computer, letting whatever malicious software it contains loose inside the organization.
Some Offline Social Engineering Attacks
Here are some common types of offline social engineering attacks:
- Vishing (Voice Phishing)
Pretexting is using some form of a lie to trick someone into giving up information they should not share. Pretexting attacks can be run both online and offline. They are often used to get the personal information needed to set up Spear Phishing attacks.
An offline example might be someone who calls you, pretending to be from a lawyer’s office. You’ve just inherited a lot of money from a distant relative. All you need to do is provide certain information to prove your identity, and the lawyer will wire you the money. The pretext for the call is the phony inheritance.
Tailgating usually involves passing through some sort of electronic security system using someone else’s access. Someone following close behind you when you pass through electronic security might not be a fellow employee at all. Instead, they might be someone tailgating on your access to go somewhere they don’t belong.
Vishing (Voice Phishing)
Vishing, or Voice Phishing, is the offline equivalent of a Phishing attack. There are several versions of this attack, but all use the telephone system. They aim to get the victim to divulge a credit card number or some other personal information in response to an official-sounding phone call.
These scams usually use VoIP (Voice over IP) technology to simulate the automated phone system that a real company might use. Phone systems used to be considered safe and trustworthy, making people more vulnerable to Vishing scams.
How to Defend Yourself from ONLINE Social Engineering Attacks
We’ve looked at some of the more common online social engineering attacks in use today. But what can you do to protect yourself from them?
Here are some practices that will reduce your chance of getting scammed:
- Don’t open unexpected email attachments. If you receive an unexpected attachment, the chances are good that it is malicious. Contact the company IT department (if at work). If not at work, contact the sender (if you know them). Find out why you received it before opening any unexpected attachment.
- Look up websites on your own. Remember that phishing-type attacks usually direct you to a fake website. You can avoid their trap by looking up the website address yourself rather than clicking on a link in an email message or attachment. If you do find yourself on a website you are unsure about, check out the URL (the address) that appears in the browser address box. While it is possible to make an exact duplicate of a legitimate website, no two sites can have the same URL. Looking up the company in a search engine should get you to the real site.
- Never reveal your password to anyone online. No legitimate organization is going to ask a user for their password.
- Use a VPN for additional privacy when browsing the web.
How to Defend Yourself from OFFLINE Social Engineering Attacks
We’ve also looked at common offline social engineering attacks. Here are some things you can do to protect yourself from offline attacks:
- Don’t give personal information to callers. This may have been safe many years ago, but is not now. If someone calls you and says they need you to confirm some personal information, hang up on the creeps!
- Don’t let anyone tailgate you to get past security. Regular criminals or ex-employees have been known to use this technique to get back onsite and steal things or exact vengeance.
- Always demand an ID from anyone who shows up asking you for information.
- Never plug anything into your computer if you don’t know where it came from!