What is Social Engineering?
By: Emma Kavanagh
Why spend the time, resources and even money it might cost to hack a computer to steal data and personal information when it’s just easier to get a victim to hand over the desired information willingly?
That, according to Microsoft, is the crux of social engineering. This insidious form of cyber theft involves playing on people’s emotions and trust to get them to knowingly divulge information or download spyware that can send the bad guys down a trail that leads directly to personal data, such as Social Security numbers, bank account numbers, credit card accounts and so on. While social engineering ploys have the same goal as hacks, the method in is often much less sophisticated, but in some cases, terribly effective.
Criminals who use social engineering ploys to part people, their personal information and often their money use trickery to get what they want. Deceptive tactics enable these bad guys to strike targets without targets even realizing they’ve been struck until it’s too late.
Social Engineering Examples to Watch Out For
Criminals who rely on social engineering techniques to get people to hand over their personal information tend to use a number of different tricks to achieve their goals. Some examples of social engineering in action include:
- Bogus emails or contacts from friends: Once a scammer is successful in getting a person’s email password, for example, he or she gains access to the victim’s entire address book. At this point, the scammer may send out emails under the guise of the actual friend that solicit information or attempt to entice new victims into downloading pictures or files that may contain spyware. This type of scamming also frequently happens on social media networks where scammers attempt to send messages to people their victims’ have friended.
- Phishing: Emails that appear to come from legitimate companies are one of the favorite tools of the social engineer. A scammer, for example, may send a very legitimate email that appears to come from a banking institution. The email may ask the recipient to click on a link and log into their bank account to verify information. It might also blatantly ask for personal information, such as a telephone number, bank account number or Social Security number. In the case of links, they may lead directly to a website that is nearly identical to the legitimate business site.
- Unsolicited requests: Social engineering can also play heavily on a person’s emotions. Unsolicited emails may come in from strangers or even under the guise of friends or relatives (whose accounts have been hacked) asking for money or other forms of assistance. These emails present an urgent need and oftentimes request wire transfers of money.
Tips for Outsmarting the Tricksters
Social engineering is a popular tool of identity thieves because it works. When a message is well presented, victims fall prey because they trust the institution, business or individual sending the request. There are things to look for, however, that can tip off potential victims to social engineering scams and help them mitigate damage if they’ve been struck:
- Be wary of all downloads – even if they come from a friend: Be sure to always virus scan downloads to help avoid inadvertently introducing spyware onto a computer.
- Pay attention to the wording of emails and messages: When emails come in from friends or messages arrive via social media, look for clues that might indicate the true author’s identity. If a message doesn’t sound like something a friend would send, it’s probably bogus.
- Never give out personal information via email: If an email asks for verification of bank account information, Social Security numbers and so on, do not respond. No one reputable would ask for this type of sensitive information in an unsecured manner.
- Be careful clicking through: If a request comes in that asks for verification on a particular website, let’s say a banking website, for example, do not click through on the link. Instead, go directly to the banking website by typing the proper address into a browser. Better yet, call the bank to confirm a problem with an account.
- Verify requests for help: If a stranger solicits assistance, chances are the email is bogus. If a friend or relative asks for help via email, pick up the phone and call to find out if the story is true.
Social engineers use human nature against humans as they target victim in theft schemes. Stay one step ahead of them by always questioning requests online or off before following through on them.
Additional Online Resources:
- SANS Institute: Social Engineering White Papers
- CNET: Social Engineering 101 (Q&A)
- Center for Internet Security: Social Engineering: You are at Risk!
- The Information Networking Institute by Carnegie Mellon University: Social Engineering and Scams