Everyone probably thinks they’re too clever to fall for a scam – even the people who fall for them. Social engineering is a powerful set of techniques that hackers, scammers, and thieves use to compromise your security and steal valuable data. Learn their strategies so you can defend yourself.
Social engineering is the art of convincing a person to do what you want, even when it’s against their interests. When it comes to the digital world, it may or may not even involve code or malware. Trust, stress and even greed are natural feelings felt by everyone, but they’re also the tools hackers use to cloud our judgment.
Discover the most common techniques and how to protect yourself against them below:
Phishing happens when a cybercriminal uses emails to impersonate someone else (usually a real and well-trusted organization). They can then trick you into disclosing sensitive information. That can be anything from your email address to your social security number, your bank card number or your login details.
Phishing hackers usually pretend to be your bank or the government, a major corporation, a delivery company, eBay, a charitable organization, etc. (the options are limitless). Their goal is to have you open that email and download a suspicious attachment or click on the link they provide.
Phishing can take different forms and use different methods. The most common ones include:
Spear phishing is a targeted form of phishing that requires more effort but also has a higher success rate. Phishing emails can be sent to hundreds and thousands of people, while spear phishing hackers target individuals or small groups. For the hacker’s story to be convincing enough to pay off, they need to do some research about their victim(s) and use that information against them.
They usually pretend to be a specific person who the victim trusts or, in a work environment, someone they report to. Social media channels are a gold mine for such hackers as they can gather almost any information about their victim, i.e., their email address, the brands they trust and follow, friends they interact with the most, etc. Once the research is done, the hacker will email the victim with a realistic pretext and will try to get their sensitive information.
For example, on an individual level, hackers might pretend to be your best friend and ask for access to your Facebook account. On a business level, they could pretend to be a CEO or a Senior Executive of a company you work for and request to immediately transfer funds for a ‘new project’ that unfortunately cannot be announced until next week.
Spear-phishing attacks are difficult to recognize as they are so personalized. However, if you want to protect yourself, it’s important to question any emails or messages that request your personal or financial information. First, check the source of the email. Did your friend use that email before? Have you previously spoken about this? Has your senior previously requested such transfers? If it sounds suspicious, do not reply to the email and contact the person directly. You can do this by sending them a separate email or just giving them a call.
Vishing is yet another type of phishing. These scammers will pretend to be contacting you from a trustworthy organization using an old-fashioned route – the phone. But how does it work?
Most vishing attacks will start with phone number spoofing, which will then be used to either impersonate you or impersonate a company you trust. Such hackers might use pre-recorded voice messages, text messages, or voice-to-text synthesizers to mask their identity, while others will go to great lengths and will use a real human on the other end of the line, only to make the attack more convincing.
Vishing hackers will then use a compelling pretext, such as suspicious activity on your bank account, overpaid/underpaid taxes, contest winnings, etc. Regardless of the technique or the pretext, their primary goal is to get your PIN, social security number or your payment details. This information could later be used for other attacks or to steal your identity. Check out this great example of a vishing attack on Youtube.
The only thing that will protect you from a call like the one in that video is a company with strong security procedures. To decide if the call you’re receiving is a vishing attempt, follow these tips:
All of these are warning signs of vishing.
Pretexting is a similar technique to phishing, and it uses a catchy and exciting pretext to get one’s sensitive information. However, if phishing is based on fear and urgency, then pretexting is the opposite – it’s based on trust and rapport.
Pretexting requires a lot more research than other social engineering techniques. These cybercriminals will go to great lengths to pretend to be your friend or your colleague. They won’t just lie, they’ll come up with a whole scenario to fool you. They can even create fake product images to show you or learn industry lingo.
In a company environment, these hackers will work they way up and won’t stop with a single attack. Their goal is usually to get information from someone at a certain level of seniority.
Catfishing is a technique used by people who create fake social media profiles and pretend to be someone else by using other people’s photos, videos and sometimes even their personal information. These fake identities are usually used to cyberbully or seek attention (as well as romantic relationships). However, in some cases, they can be used to extract money or the victim’s personal details, which later could used to steal their identity or for a phishing attack.
It’s pretty common to find ‘catfishes’ on online dating platforms or social media channels such as Facebook, Twitter, and Instagram. If you’ve made an online friend who is extremely nice to you but constantly finds excuses to not meet you in person, it’s very likely that you are being catfished.
How to avoid it? Look for warnings signs such as:
This technique uses bait to persuade you to do something that allows the hacker to infect your computer with malicious software and get your personal details.
Many social engineers have used USBs as bait. They start by leaving them in offices or parking lots with labels like ‘Confidential’ or ‘Executives’ Salaries 2018 Q4’. Some of the people who find them will be tempted by curiosity to insert them into a computer. The virus hidden within will then quickly spread to their device. If you come across such USB, don’t open it. Instead, have a chat with your office manager or your IT department. They will be able to find the owner (if the USB has actually been lost) or will safely dispose of it (so that no one else can take the bait).
The use of USBs and CDs is decreasing, so baiting is now mainly used on websites, where people tend to download music and films. Social engineers create false mirroring sites, and while someone might think they are downloading a movie, they will actually be downloading a virus. You are always at risk when downloading any files from an untrusted source, but to avoid being hacked, you can take precautions such as always double checking the type of file you are getting or having an up to date antivirus. (If you’re expecting a song but the file isn’t an .mp3, .mp4 or other common audio file type, don’t touch it. Even safe files can be insecure if they’re from sketchy sources – PDF and Word files can have macros embedded in them that can execute different commands when opened and run.)
In a quid pro quo attack, a hacker will offer you a service in exchange for your personal information. A few years ago, quid pro quo attacks consisted of emails telling you that a Nigerian Prince has died and you inherited all his money. All you needed to do was provide them with your bank details or send them a small “handling fee” so they could transfer you the money.
Even though such attacks now sound humorous, quid pro quo attacks are still relevant today. The most common quid pro quo attacks these days happen when hackers pretend to be IT support specialists. The victim usually does have a minor problem with a device, or the device needs to be updated with the latest software, so they think that this is a standard procedure, even though they didn’t request any IT assistance in the first place.
The impersonator calls the victim and tells them that they will fix the problem, but that they need access to their computer to do so. The victim doesn’t question it and gives the hacker access. This social engineer now has full access to the device and can install malicious software or steal other sensitive information.
A few months ago, this method was used to attack a number of Australians. A fake IT company called Macpatchers, complete with their own Youtube channels and fake reviews, offered to fix a false malfunction for users. The bug didn’t exist in the first place, but people fell for the trap and the hackers managed to hack their webcams and film them without their consent.
Email hacking and contact spamming is the oldest trick in the book. A cybercriminal who uses this technique will hack into your email or your social media accounts (Facebook, Twitter or Instagram) and will reach out to your friends with a message such as ‘I’ve seen this amazing video, check it out.’
Unfortunately, we tend to trust messages that seem to come from our close friends, so when we click on those links, we end up infecting our devices with malware. What’s even worse is that once these viruses spread to your device, they can spread the same message to your contacts, too.
Prevent social engineering attacks by using NordVPN!