Social engineering (SE) is the art of manipulating people so they give up confidential information. While the term itself is relatively new, the idea goes back to the beginning of time. Those who use social engineering online today are called phishers or scammers, and in the old days they would have simply been called con men.
In terms of network security, social engineering is often convincing a company employee to click a malicious link or open a malware-infected file, most often through email. Gaining key information from an employee is much easier than trying to figure out how to hack a system.
According to Michael Heller at TechTarget, Cody Pierce, director of vulnerability for Arlington, VA-based security research firm Endgame, says that these types of attacks are getting more difficult to stop because of the wealth of information made publicly available on the Web via social media. That information can be used to craft much more convincing and targeted attacks, which has led to something of a renaissance for SE.
“Twitter will tell you what app is used to post, which leads to what platform is used. LinkedIn connects to work contacts, and Facebook has everyone,” said Pierce. “Phishing will continue to stay popular as long as we’re all connecting over the Internet and easy to talk to or build a relationship with, because someone will take advantage of that situation.”
How to Protect Yourself from Social Engineering Tricks
Here are some tips from Webroot to help you avoid becoming a victim:
- Slow down. Scammers want you to act first and think later. If the message conveys a sense of urgency, or uses high-pressure sales tactics be skeptical; never let their urgency influence your careful review.
- Research the facts. Be suspicious of any unsolicited messages. If the email looks like it is from a company you use, do your own research. Use a search engine to go to the real company’s site, or a phone directory to find their phone number.
- Delete any request for financial information or passwords. If you get asked to reply to a message with personal information, it’s a scam.
- Reject requests for help or offers of help. Legitimate companies and organizations do not contact you to provide help. If you did not specifically request assistance from the sender, consider any offer to ’help’ restore credit scores, refinance a home, answer your question, etc., a scam.
- Don’t let a link control where you land. Stay in control by finding the website yourself using a search engine to be sure you land where you intend to land. Hovering over links in email will show the actual URL at the bottom, but a good fake can still steer you wrong.
- Email hijacking is rampant. Hackers, spammers, and social engineers taking over control of people’s email accounts (and other communication accounts) has become rampant. Once they control someone’s email account they prey on the trust of all the person’s contacts. Even when the sender appears to be someone you know, if you aren’t expecting an email with a link or attachment check with your friend before opening links or downloading.
- Beware of any download. If you don’t know the sender personally AND expect a file from them, downloading anything is a mistake.