Malware isn’t the only online threat to worry about. Social engineering is a huge threat, and it can hit you on any operating system. In fact, social engineering can also occur over the phone and in face-to-face situations.
It’s important to be aware of social engineering and be on the lookout. Security programs won’t protect you from most social engineering threats, so you have to protect yourself.
Social Engineering Explained
Traditional computer-based attacks often depend on finding a vulnerability in a computer’s code. For example, if you’re using an out-of-date version of Adobe Flash — or, god forbid, Java, which was the cause of 91% of attacks in 2013 according to Cisco — you could visit a malicious website and that website would exploit the vulnerability in your software to gain access to your computer. The attacker is manipulating bugs in software to gain access and gather private information, perhaps with a keylogger they install.
Social engineering tricks are different because they involve psychological manipulation instead. In other word, they exploit people, not their software.
You’ve probably already heard of phishing, which is a form of social engineering. You may receive an email claiming to be from your bank, credit card company, or another trusted business. They may direct you to a fake website disguised to look like a real one or ask you to download and install a malicious program. But such social-engineering tricks don’t have to involve fake websites or malware. The phishing email may simply ask you to send an email reply with private information. Rather than try to exploit a bug in a software, they try to exploit normal human interactions. Spear phishing can be even more dangerous, as it’s a form of phishing designed to target specific individuals.
Examples of Social Engineering
One popular trick in chat services and online games has been to register an account with a name like “Administrator” and send people scary messages like “WARNING: We have detected someone may be hacking your account, respond with your password to authenticate yourself.” If a target responds with their password, they’ve fallen for the trick and the attacker now has their account password.
If someone has personal information on you, they could use it to gain access to your accounts. For example, information like your date of birth, social security number, and credit card number are often used to identify you. If someone has this information, they could contact a business and pretend to be you. This trick was famously used by an attacker to gain access to Sarah Palin’s Yahoo! Mail account in 2008, submitting enough personal details to gain access to the account through Yahoo!’s password recovery form. The same method could be used to over the phone if you have the personal information the business requires to authenticate you. An attacker with some information on a target can pretend to be them and gain access to more things.
Social engineering could also be used in person. An attacker could walk into a business, inform the secretary that they’re a repair person, new employee, or fire inspector in an authoritative and convincing tone, and then roam the halls and potentially steal confidential data or plant bugs to perform corporate espionage. This trick depends on the attacker presenting themselves as someone they’re not. If a secretary, doorman, or whoever else is in charge doesn’t ask too many questions or look too closely, the trick will be successful.
Social-engineering attacks span the range of fake websites, fraudulent emails, and nefarious chat messages all the way up to impersonating someone on the phone or in-person. These attacks comes in a wide variety of forms, but they all have one thing in common — they depend on psychological trickery. Social engineering has been called the art of psychological manipulation. It’s one of the main ways “hackers” actually “hack” accounts online.
How to Avoid Social Engineering
Knowing social engineering exists can help you battle it. Be suspicious of unsolicited emails, chat messages, and phone calls that ask for private information. Never reveal financial information or important personal information over email. Don’t download potentially dangerous email attachments and run them, even if an email claims they’re important.
You also shouldn’t follow links in an email to sensitive websites. For example, don’t click a link in an email that appears to be from your bank and log in. It may take you to a fake phishing site disguised to look as your bank’s site, but with a subtly different URL. Visit the website directly instead.
If you receive a suspicious request — for example, a phone call from your bank asks for personal information — contact the source of the request directly and ask for confirmation. In this example, you’d call your bank and ask what they want rather than divulging the information to someone who claims to be your bank.
Email programs, web browsers, and security suites generally have phishing filters that will warn you when you visit a known phishing site. All they can do is warn you when you visit a known phishing site or receive a known phishing email, and they don’t know about all the phishing sites or emails out there. For the most part, it’s up to you to protect yourself — security programs can only help a little bit.
It’s a good idea to exercise a healthy suspicion when dealing with requests for private data and anything else that could be a social-engineering attack. Suspicion and caution will help protect you, both online and offline.
Image Credit: Jeff Turnet on Flickr