What is social engineering?
Everyone probably thinks they’re too clever to fall for a scam – even the people who fall for them. Social engineering is a powerful set of techniques that hackers, scammers, and thieves use to compromise your security and steal valuable data. Learn their strategies so you don’t fall into their trap.
Social engineering definition
Social engineering is the art of convincing a person to do what you want, even when it’s against their interests. Trust, stress and greed are natural feelings that social engineers use against you to cloud your judgment. When it comes to the digital world, it may or may not involve code or malware.
Read on to learn more about the most common techniques and how to protect yourself against them.
Types and examples of social engineering
Phishing happens when a cybercriminal uses emails to impersonate someone else. Usually they’ll pretend to be your bank, the government, a delivery company, or any other organization you trust. ). Their goal is to have you open that email and download a suspicious attachment or click on the link they provide. They want to trick you into disclosing sensitive information such as your login details, social security number or your bank card number.
Phishing can take different forms and use different methods. The most common ones include:
A spoofed display name. The email will appear to have been sent from a legitimate organization but the domain name will be entirely different. For example, it might look like Netflix sent you an email asking to confirm your account details, but if you hover over ‘Sender’, you’ll see that the email came from email@example.com (a hypothetical example).
Embedded links. You might receive an email asking you to click on the link and log back into your account (even though you haven’t changed your activity on that site). The embedded link will lead to an infected website that will steal your sensitive information. One way to protect yourself is to right-click on the link and check if it looks legit. The other more foolproof way is to type the original website into your URL bar to see if what the message said is true.
Email attachments. Invoices, order confirmations, event invitations, etc. can be used to disguise viruses or malware. Don’t open them or reply to the sender if they seem suspicious. Draft a new email to the person you think emailed you.
Spear phishing is a type of phishing that requires more effort but also has a higher success rate. Phishing emails can be sent to thousands of people, while spear phishing hackers target individuals or small groups. They usually pretend to be a specific person you trust or, in a work environment, report to.
For spear phishing to work, hackers need to do some research about their victim(s) and use that information against them. Social media is a gold mine for this task. Hackers can gather almost any information, i.e., email address, the brands you trust and follow, your friends, etc. Once the research is done, the hacker will email the victim with a realistic pretext to get their sensitive information.
For example, on an individual level, hackers might pretend to be your best friend and ask for access to your Facebook account. On a business level, they could pretend to be a CEO of a company you work for and request to immediately transfer funds for a “new project.”
Spear-phishing attacks are difficult but not impossible to recognize. To protect yourself:
Check the source of the email. Has your friend or manager used that email before?
Ask yourself whether it sounds like a normal request. Have you previously spoken about this?
If it sounds suspicious, do not reply to the email and contact the person directly. Do this by sending them a separate email, giving them a call, or waiting to speak to them directly.
Vishing is yet another type of phishing. These scammers will pretend to be contacting you from a trustworthy organization using an old-fashioned route – the phone.First, they will spoof their phone number to impersonate you or a company you trust – it all depends on who they’re calling. Such hackers might use pre-recorded voice messages, text messages, or voice-to-text synthesizers to mask their identities. Others will even use humans from scam call centers to make the attack more convincing.
Vishing hackers will use a compelling pretext, such as suspicious activity on your bank account, overpaid/underpaid taxes, contest winnings, etc. Regardless of the technique or the pretext, their primary goal is to get your sensitive information, which can then be used for other attacks or to steal your identity. Check out this great example on Youtube.
To determine if the call you’re receiving is a vishing attempt, follow these tips:
Question the company and the reason they are calling. Have you ever heard of this company or have you ever done any business with it?
Are they offering unrealistic financial gains from contests you’ve never entered or are they offering to help you with debt you’ve never heard of?
Are they using hostile language to pressure you to give up your personal information?
All of these are warning signs of vishing.
Pretexting is a similar technique to phishing, and it uses a catchy and exciting pretext to get one’s sensitive information. However, if phishing is based on fear and urgency, then pretexting is the opposite – it’s based on trust and rapport.
Contact spamming is the oldest trick in the book. A cybercriminal who uses this technique will hack into your email or your social media account and reach out to your friends with a message such as “I’ve seen this amazing video, check it out!”
Unfortunately, we tend to trust messages that seem to come from our close friends. But if you click on this link you will end up infecting your device with malware. What’s even worse is that once these viruses spread to your device, they can spread the same message to your contacts, too.
How to protect yourself
Learn about different types of social engineering attacks. If you know what to expect, it will be easier to avoid the trap. If you run a company or manage a team, it’s essential to educate your team about such attacks too.
Be vigilant. Double check the identity of whoever you’re communicating with, especially if it’s an email, text or call you weren’t expecting. Remember that if it sounds odd or too good to be true, it might be a scam.
Keep an eye out for mistakes. Legitimate businesses tend to triple-check their content before sending it out. Hackers, on the other hand, leave countless grammatical and spelling errors.
Don’t be afraid to ask questions. If you think someone is trying to scam you over the phone, feel free to question their friendliness or their authority. Most importantly, listen for answers that don’t match their story.
Practise good internet behavior.
Limit the information you share online. Leaving easily accessible information out there can help someone gather information about you and use it for a social engineering attack.
Take care of your software – install regular updates, invest in a good antivirus, install spam filters, and use browser extensions.
Use a VPN. A VPN service will help mask your identity and prevent would-be hackers from intercepting your communications, especially on public WiFi.