An unfortunate truth: Cybercriminals covet our identities, login credentials, data, even the computing resources provided by our devices. With these resources, they can gain access to many things—information, control, prestige, and of course, money. But in order to achieve this access, they must get past a variety of well-established cybersecurity mechanisms. One of the ways they do this is with a type of direct psychological attack termed social engineering.
What is social engineering?
Social engineering refers to a variety of malicious activities accomplished through human interaction and psychological manipulation. The goal of social engineering is to gain the trust of the victim in order to extract something of value—such as login credentials, personal information, or money—or to gain access to something of value, like a network, a computer, a set of files. In essence, the attacker tries to trick a user into mistakenly giving away sensitive information, access, or actual money.
Social engineering attack techniques
There are dozens of types of social engineering attacks, some with humorous names. But make no mistake—they’re not funny business. The success of these techniques hinges on the recipient taking an action the attacker wants them to take—so knowing how to recognize these techniques can help you avoid them.
Phishing is a category of social engineering attacks involving communications that appear to be from a trusted source. A phishing scam usually arrives via email and often involves a malicious website that spoofs (imitates) a site the recipient trusts. These attacks often appear to come from a financial institution, perhaps informing them of a time-sensitive problem with their account and providing a link to a website requesting them to log in to resolve the problem. The site is a spoof, programmed to steal their credentials.
Other kinds of phishing attacks can originate as solicitations for charities, particularly around natural disasters, elections, epidemics, and holidays. They could also take the form of too-good-to-be-true deals.
Spear phishing is a form of highly targeted phishing attack that uses information relevant to the recipient to increase confidence and trust. This may involve mentioning names, projects, phone numbers, and the like that are known to the recipient, so that they are more likely to think the attack email is genuinely from someone known or within their organization. Spear phishing usually involves email leading to a spoofed website.
Voice phishing, also known as vishing, is a type of phishing attack that uses telephone communications. The recipient receives a call or is enticed or scared into calling a phone number, and then persuaded to divulge personal information or make payment arrangements. This may involve robocalls or actual people on the other end of the line.
Vishing scammers typically employ Voice over Internet Protocol (VoIP) technologies. VoIP enables spoofing of caller ID credentials to enhance trust. Often these calls impersonate financial institutions or governmental agencies with threats.
Vishing is used to great effect with the older population, who tend to trust telephone communications and who are not as connected to the internet.
Smishing involves phishing through text messaging. The text message often includes a link that, when clicked, installs malware on the recipient’s phone. If you receive a suspicious text message, review the area code and phone number. If the sender purports to be a company—for example, a phone or internet service provider—look for emails to confirm, or go directly to the company’s website to take the requested action.
Baiting is a social engineering attack that uses a false promise to pique a recipient’s greed or curiosity. Baiting can be accomplished online, with promises of things of value (deals, downloads, prizes, and the like) or in the physical world—for example, by leaving bait thumb drives infected with malware where people could find them and plug them into a computer, resulting in malware installation.
Pretexting is an attack strategy in which the attacker provides a story, or pretext, in order to build false trust with the recipient and fool them into providing valuable information or access. For example, the attacker might tell you that there is a problem with your automated payment for a recurring utility bill. The attacker then asks for information—bank account number, credit card information, social security number, or login credentials—to resolve the problem. That information is their goal. The more specific information the attacker can provide, the more credible the attack. Pretexting can occur via email, phone, text, web, or almost any channel of communication.
Scareware is malicious software that scares computer users into believing their computer has been breached with malware and they need special software to fix the problem. This usually starts with pop-up ads that bombard the user with false alarms, convincing them to buy and download bogus anti-virus software to repair a purported problem. The software may be useless or worse, stealing personal information, enlisting the user’s device in a botnet, or even ransoming the user’s data in exchange for a payout.
Watering hole attack
Water-holing, or a watering hole attack, is a type of security attack in which the attacker seeks to compromise a targeted group of people by infecting websites that the group is known to visit. Most targeted groups of watering hole attacks are government agencies, human rights groups, public authorities (like city council members), financial institutions, and large corporations. In 2013, attackers targeted a site called iPhoneDevSDK.com, compromising the tools that developers at companies like Microsoft and Facebook used to build software.
The attacker may make use of so-called “zero day” vulnerabilities in the web server or its underlying operating system—this is about a malicious actor finding a vulnerability in a piece of software before the developer can fix it, or before the user can install the appropriate patch. These vulnerabilities usually live deep within system software. Once that system is compromised the attacker can install exploits that will infect the victims’ computers, which could, in turn, enable them to capture personal information, install malware, or carry out other attacks.
A honeypot attack is similar to a watering hole attack, but instead of infecting a site which is known to be visited by the victims, a site is set up to attract and entice the targets to visit. Once a user visits the site, a similar infection path is followed.
How to protect yourself from social engineering
One of the best things you can do to prevent social engineering is to maintain a healthy level of skepticism toward all things encountered on the Internet. Social engineering tactics try to manipulate your feelings—whether greed, fear, or curiosity—to entice you into a trap. Paying attention and being skeptical are two of the first guidelines to prevent being taken advantage of. Others include:
- Don’t open emails and attachments from suspicious or unknown sources. If the sender is unknown then be extra cautious about replying or clicking on links. If the sender is known but things don’t seem right—e.g. tone, misspellings, out-of-context requests—double check the origin of the message and perhaps give the purported sender a call to verify.
- Use an email spam filter. Many spam filters are driven by the behaviors of other users. This can help you detect and ignore fraudulent messages. If your spam filter can be tuned or trained, set it to high.
- Use multifactor authentication (MFA). Your credentials to bank or brokerage websites are of great value to hackers. Many social engineering traps are explicitly designed to steal passwords. With use of MFA you can protect your account even if your password is exposed, whether through your fault or that of another party. Multifactor authentication involves use of a third key in addition to login ID and password. This key is generated dynamically, has a very short lifespan, and must be entered with your credentials to log in. Employ the MFA options that are available and work for you, particularly on high-value accounts.
- Be wary of tempting offers. Anything that sounds too good to be true probably is. This applies to super-low prices on goods for sale; notifications of windfall inheritances, prizes, and lost bank accounts; unsolicited job offers; and a variety of other enticements. Searching the web for the topic or sender can often inform you whether the offer is real or a trap.
- Keep your antivirus software up to date. Cybercriminals are inventive and driven, and new threats arise daily. A good antivirus, anti-malware vendor monitors risks and quickly updates their software and virus definitions to deal with the evolving threats. These updates don’t do you any good if they are not installed. Automate the scheduled installation of updates. And of course if you don’t yet have protective software installed, you should.
- Do not trust web links (URLs) and email addresses. URLs can be long and cryptic, redirecting to websites completely different than expected. They may also include trivial misspellings that suggest a trusted site name but are, in reality, completely different. Or the encoded hyperlink may take you somewhere different than the link that you read in the message. The email “From:” address you see in a mail header is easy to spoof—which means scammers can impersonate trusted service providers. If you have any suspicion, you can use your mail client to view the full mail header, which may reveal a surprising truth about the origin of the message. Finally, careful people resist clicking on URLs in inbound emails.
- Be cautious about shared drive links. Whether linking within a corporate intranet or to a cloud drive, these links can be obfuscated and redirect you to malicious websites.
- Don’t overshare. The personal information you share on social media sites can be used by hackers to fake your identity in a phishing attack. Never provide personal or company information on an unsolicited call, no matter who you think it is.
Neeva is the world’s first private, ad-free search engine, committed to showing you the best result for every search. We will never sell or share your data with anyone, especially advertisers. Sign up today and try Neeva for yourself: neeva.com/signup.