Even with the most sophisticated firewalls and anti-virus software in place, there is a common form of cyber crime that can find its way around all hardware and software barriers. It doesn’t rely on technology but rather on the vulnerability of human nature.
Contributor: Bill Wolkey, Kaye-Smith Security Administrator
A common misconception people have about cyber attackers is that they only use advanced hacking tools and technology to break into people’s computers, accounts and mobile devices. In fact, cyber attackers have learned that one of the easiest ways to steal your information or hack your computer is by simply talking to you and misleading you.
Social engineering – using psychological manipulation to influence a victim’s behavior – has existed for thousands of years; the concept of scamming or conning is not new. Cyber attackers have learned that using this technique on the Internet is extremely effective and can be used to target millions of people. The simplest way to understand how social engineering works is to take a look at a common, real-world example.
You receive a phone call from someone claiming to be from a computer support company. The caller says his company has noticed that your computer is behaving strangely and believes it is infected. He has been tasked with investigating the issue and helping you secure your computer. He then uses a variety of technical terms and takes you through confusing steps to convince you that your computer is infected. Once he’s gained your confidence, he will pressure you into going to a website and buying his company’s security software. Unfortunately, if you purchase and install the software, not only have you been fooled into installing a malicious program. You have also just paid for the privilege.
Keep in mind that social engineering attacks like this are not limited to phone calls. They can happen with almost any technology, including phishing attacks via email, text messaging, Facebook messaging, Twitter posts or online chats. The key is to know what to look out for.
The simplest way to defend against social engineering attacks is to use common sense. If something seems suspicious or does not feel right, it may be an attack. Some common indicators include:
- Someone creating a tremendous sense of urgency. If you feel like you are under pressure to make a very quick decision, be suspicious.
- Someone asking for information they should not have access to or should already know.
- Something too good to be true. A common example is being notified of winning a lottery that you never entered.
If you suspect someone is trying to make you the victim of a social engineering attack, sever communications immediately. If the attack is work-related, be sure to report it to your help desk or information security team right away.
Fortunately, there are precautions you can take to help prevent exposing yourself to future social engineering attacks:
Never share passwords. No organization will ever contact you to ask for your password. If someone is asking you for your password, it is an attack.
Don’t share too much. The more an attacker knows about you, the easier it is for them to find and mislead you into doing what they want. The less you share publicly – including posts on social media sites, product review pages, public forums and mail lists – the less likely you are to be attacked.
Verify Contacts. At times, you may be called by your bank, credit card company, mobile service provider or other organizations for valid reasons. If you have any doubt as to whether a request for information is legitimate, ask for the name and extension number of the person calling you. Then find the company’s phone number from a trusted source, such as the number on the back of your credit card, the number on your bank statement or perhaps the number on the company’s website. (Be sure you type the URL in your browser yourself.) This way, when you call the organization back to confirm the reason for the call, you will be able to determine whether or not the caller was genuine. Though it may seem like a hassle, safeguarding your identity and personal information is well worth the additional step.
Credits: The SANS Institute