What is social engineering?

Everyone probably thinks they’re too clever to fall for a scam – even the people who fall for them. Social engineering is a powerful set of techniques that hackers, scammers, and thieves use to compromise your security and steal valuable data. Learn their strategies so you can defend yourself.

Social engineering is the art of convincing a person to do what you want, even when it’s against their interests. When it comes to the digital world, it may or may not even involve code or malware. Trust, stress and even greed are natural feelings felt by everyone, but they’re also the tools hackers use to cloud our judgment.

Discover the most common techniques and how to protect yourself against them below:

Phishing happens when a cybercriminal uses emails to impersonate someone else (usually a real and well-trusted organization). They can then trick you into disclosing sensitive information. That can be anything from your email address to your social security number, your bank card number or your login details.

Phishing hackers usually pretend to be your bank or the government, a major corporation, a delivery company, eBay, a charitable organization, etc. (the options are limitless). Their goal is to have you open that email and download a suspicious attachment or click on the link they provide.

Phishing can take different forms and use different methods. The most common ones include:

• A spoofed display name. The email will appear to have been sent from a legitimate organization but the domain name will be entirely different. For example, it might look like Netflix sent you an email asking to confirm your account details, but if you hover over ‘Sender’ and you see that the email came from netflix@gmail.com (a hypothetical example), it’s no good.
• Embedded links. You might receive an email asking you to log back into your account even though you haven’t changed your activity on that site. In such cases, you might be asked to click on the hyperlink, which will be hiding an infected website. One way to protect yourself is to right-click on the link to see where it leads and to check if it looks legit. The other, more foolproof way, is to navigate to the website the email says it represents, log in there, and see if what the message said is true.
• Email attachments. Invoices, order confirmations, event invitations, etc. can be used to disguise viruses or malware. Check documents or even contact the sender before downloading and opening them.

Spear phishing is a targeted form of phishing that requires more effort but also has a higher success rate. Phishing emails can be sent to hundreds and thousands of people, while spear phishing hackers target individuals or small groups. For the hacker’s story to be convincing enough to pay off, they need to do some research about their victim(s) and use that information against them.

They usually pretend to be a specific person who the victim trusts or, in a work environment, someone they report to. Social media channels are a gold mine for such hackers as they can gather almost any information about their victim, i.e., their email address, the brands they trust and follow, friends they interact with the most, etc. Once the research is done, the hacker will email the victim with a realistic pretext and will try to get their sensitive information.

For example, on an individual level, hackers might pretend to be your best friend and ask for access to your Facebook account. On a business level, they could pretend to be a CEO or a Senior Executive of a company you work for and request to immediately transfer funds for a ‘new project’ that unfortunately cannot be announced until next week.

Spear-phishing attacks are difficult to recognize as they are so personalized. However, if you want to protect yourself, it’s important to question any emails or messages that request your personal or financial information. First, check the source of the email. Did your friend use that email before? Have you previously spoken about this? Has your senior previously requested such transfers? If it sounds suspicious, do not reply to the email and contact the person directly. You can do this by sending them a separate email or just giving them a call.

Vishing is yet another type of phishing. These scammers will pretend to be contacting you from a trustworthy organization using an old-fashioned route – the phone. But how does it work?

Most vishing attacks will start with phone number spoofing, which will then be used to either impersonate you or impersonate a company you trust. Such hackers might use pre-recorded voice messages, text messages, or voice-to-text synthesizers to mask their identity, while others will go to great lengths and will use a real human on the other end of the line, only to make the attack more convincing.

Vishing hackers will then use a compelling pretext, such as suspicious activity on your bank account, overpaid/underpaid taxes, contest winnings, etc. Regardless of the technique or the pretext, their primary goal is to get your PIN, social security number or your payment details. This information could later be used for other attacks or to steal your identity. Check out this great example of a vishing attack on Youtube.

The only thing that will protect you from a call like the one in that video is a company with strong security procedures. To decide if the call you’re receiving is a vishing attempt, follow these tips:

• Question the company and the reason they are calling. Have you ever heard of this company or have you ever done any business with?
• Are they offering unrealistic financial gains from contests you’ve never entered or are they offering to help you with debt you’ve never heard of?
• Are they using hostile language to pressure you to give up your personal information?

All of these are warning signs of vishing.

Pretexting is a similar technique to phishing, and it uses a catchy and exciting pretext to get one’s sensitive information. However, if phishing is based on fear and urgency, then pretexting is the opposite – it’s based on trust and rapport.

Pretexting requires a lot more research than other social engineering techniques. These cybercriminals will go to great lengths to pretend to be your friend or your colleague. They won’t just lie, they’ll come up with a whole scenario to fool you. They can even create fake product images to show you or learn industry lingo.

In a company environment, these hackers will work they way up and won’t stop with a single attack. Their goal is usually to get information from someone at a certain level of seniority.

Catfishing is a technique used by people who create fake social media profiles and pretend to be someone else by using other people’s photos, videos and sometimes even their personal information. These fake identities are usually used to cyberbully or seek attention (as well as romantic relationships). However, in some cases, they can be used to extract money or the victim’s personal details, which later could used to steal their identity or for a phishing attack.

It’s pretty common to find ‘catfishes’ on online dating platforms or social media channels such as Facebook, Twitter, and Instagram. If you’ve made an online friend who is extremely nice to you but constantly finds excuses to not meet you in person, it’s very likely that you are being catfished.

How to avoid it? Look for warnings signs such as:

• Pity stories and requests to donate money;
• Strange excuses why they can’t have a webcam chat or a phone call, i.e., their camera is broken, or their phone has been stolen moments before the arranged call;
• Excuses not to meet up or last minute cancellations due to family emergencies;
• Offering to meet somewhere private rather than in a public place.

This technique uses bait to persuade you to do something that allows the hacker to infect your computer with malicious software and get your personal details.

Many social engineers have used USBs as bait. They start by leaving them in offices or parking lots with labels like ‘Confidential’ or ‘Executives’ Salaries 2018 Q4’. Some of the people who find them will be tempted by curiosity to insert them into a computer. The virus hidden within will then quickly spread to their device. If you come across such USB, don’t open it. Instead, have a chat with your office manager or your IT department. They will be able to find the owner (if the USB has actually been lost) or will safely dispose of it (so that no one else can take the bait).

The use of USBs and CDs is decreasing, so baiting is now mainly used on websites, where people tend to download music and films. Social engineers create false mirroring sites, and while someone might think they are downloading a movie, they will actually be downloading a virus. You are always at risk when downloading any files from an untrusted source, but to avoid being hacked, you can take precautions such as always double checking the type of file you are getting or having an up to date antivirus. (If you’re expecting a song but the file isn’t an .mp3, .mp4 or other common audio file type, don’t touch it. Even safe files can be insecure if they’re from sketchy sources – PDF and Word files can have macros embedded in them that can execute different commands when opened and run.)

In a quid pro quo attack, a hacker will offer you a service in exchange for your personal information. A few years ago, quid pro quo attacks consisted of emails telling you that a Nigerian Prince has died and you inherited all his money. All you needed to do was provide them with your bank details or send them a small “handling fee” so they could transfer you the money.

Even though such attacks now sound humorous, quid pro quo attacks are still relevant today. The most common quid pro quo attacks these days happen when hackers pretend to be IT support specialists. The victim usually does have a minor problem with a device, or the device needs to be updated with the latest software, so they think that this is a standard procedure, even though they didn’t request any IT assistance in the first place.

The impersonator calls the victim and tells them that they will fix the problem, but that they need access to their computer to do so. The victim doesn’t question it and gives the hacker access. This social engineer now has full access to the device and can install malicious software or steal other sensitive information.

A few months ago, this method was used to attack a number of Australians. A fake IT company called Macpatchers, complete with their own Youtube channels and fake reviews, offered to fix a false malfunction for users. The bug didn’t exist in the first place, but people fell for the trap and the hackers managed to hack their webcams and film them without their consent.

Email hacking and contact spamming is the oldest trick in the book. A cybercriminal who uses this technique will hack into your email or your social media accounts (Facebook, Twitter or Instagram) and will reach out to your friends with a message such as ‘I’ve seen this amazing video, check it out.’

Unfortunately, we tend to trust messages that seem to come from our close friends, so when we click on those links, we end up infecting our devices with malware. What’s even worse is that once these viruses spread to your device, they can spread the same message to your contacts, too.

1. Learn about different types of social engineering attacks. If you know what to expect, it will be easier to avoid the trap. If you’ve read this post, you are one step closer to becoming a more savvy internet user!
2. Educate your team. If you run a company or manage a team, it’s essential to educate them, too. Organize a training day so your staff can learn to recognize social engineering attacks. Even better – hire someone to perform a penetration test by trying to trick your employees into giving out sensitive information.
3. Be vigilant. Check the identity of whoever you’re communicating with more than once, especially if it’s an email, text or call that you weren’t expecting. Call the person who sent you that email to confirm their request; hover over the link to see whether it’s legitimate or just search for the site on Google. Never reply to an email asking for your financial access details. Banks or your accountant would never ask you to do that! Remember that if it sounds odd or too good to be true, it’s probably a scam.
4. Keep an eye out for mistakes. Legitimate businesses that send marketing emails tend to double and triple check their content before sending it out. Hackers, on the other hand, leave countless grammatical and spelling errors.
5. If you think someone is trying to scam you over the phone, don’t be afraid to question their friendliness or their authority. Most importantly, listen for answers that don’t match their story or their ‘persona.’
6. Adopt good internet behavior – use different and complex passwords, two-factor authentication and don’t check your bank balance while browsing on public wifi.
7. Manage your digital identity – remove your information from public domains and think twice before posting anything on social media channels. All this easily accessible information can help someone gather information about you and then use it for a social engineering attack.
8. Take care of your software – install regular updates, invest in a good antivirus, install spam filters (but don’t rely on them exclusively), and use browser extensions.
9. Use a VPN. VPNs aren’t optimized to block social engineering, but they can help prevent hackers who want to target you specifically. A VPN will help mask your identity online and prevent would-be hackers and scammers from intercepting your communications. NordVPN’s Cybersec feature will also help prevent you from visiting scammers’ websites.

Prevent social engineering attacks by using NordVPN!