Typically, we might assume that when a cybercriminal wants to take over a computer the first thing they’ll do is look for a software vulnerability on someone’s device. So, keeping your software up-to-date and having a powerful antivirus that protects your digital devices from viruses or malicious software is probably enough, right? Unfortunately, not. There is another kind of cyberthreat on the rise that no firewall or virus protection can block: social engineering.
Social engineers have learned that sometimes the best – and often easier way – to achieve their goals is not via the device but the user. That means once you understand what social engineering is and how it works you can use that knowledge to defend yourself from falling victim to the most popular types of online social engineering attacks.
What is social engineering?
Social engineering is the art of tricking someone into giving up confidential information. By playing on people’s emotions and natural tendency to trust, social engineers are able to manipulate people into divulging sensitive information like passwords and bank details. In addition, social engineering attacks are often done to convince people to click on and/or open and download malware-infected attachments.
Common techniques used by social engineers
In a social engineering attack, a perpetrator will first gather as much information as possible about their target person or company (if they’re after confidential company data). The more details they know about their target, the easier it will be to make contact and quickly gain trust. Attackers use various methods to collect the information they need. They might Google their target or spy on them on social networks.
Once these scammers know what Facebook groups a target has joined, what videos they watch on YouTube, what pictures they link to on Instagram, and what they pin on Pinterest, they can construct more credible stories to trick their targets.
If it’s business information they’re after, they’ll look at your LinkedIn contacts or your corporate website to learn about the structure of your company. This way, they can later slip into the role of a company employee or credible business contact when making contact.
The most common online social engineering attacks
Since social engineering attacks are quite convincing it’s important to know what they might look like to avoid becoming a victim. The below are some of the most common online social engineering attacks.
Phishing accounts for 90% of all data breaches. In this scenario the scammer poses as a real person or company and typically carries out their attack via email, chats, internet advertising or websites. For example, creating a fake websites that asks users to reset their password or enter sensitive information such as their credit card or phone number. Here you can read more about phishing attacks.
Spear phishing is a particularly sophisticated phishing variant aimed at the top management level of companies. The aim is to exploit data, internal information, and gain access to company tools. Here, fraudsters seek direct contact with the victim. Sometimes they pretend to be system administrators via e-mail, sometimes they pose as a colleague on Facebook. Sometimes the attackers even dare to make a direct phone call. Learn more about spear phishing here.
Baiting attacks are similar to phishing attacks but instead of offering to resolve a problem the victim is offered something attractive. For example, a target might be enticed by a free prize or a great deal, and in order to receive it they would be required to enter sensitive personal information useful to the scammer.
Quid pro quo
Quid pro quo is Latin for “this for that” and describes a social engineering ploy that lures victims with a specific promise if they reveal information in return. Quid pro quo attackers most often impersonate IT employees. For example, they might call all employees in a company and promise them a quick, uncomplicated solution. All the unsuspecting victims have to do is turn off their antivirus program, but instead of a solution, malware is then installed on their computers.
How to defend against social engineering attacks
The best defense against a social engineering is not technical – it’s you. A healthy dose of skepticism paired with paying more attention to what you are doing online can help you to avoid making mistakes. Here is some advice to protect yourself from social engineering attacks:
- Don’t open emails, click links and/or download attachments from questionable sources.
- Don’t believe in tempting offers. If you think a deal is too good to be true, it probably is.
- Use multi-factor authentication. Along with strong, unique passwords it can never hurt to add an extra layer of security to your online accounts.
- Make sure you are using an updated antivirus software. Keep informed about new types of malware that are circulating.
- Don’t answer to any requests for personal information or passwords.
- Reject any unsolicited advice or help. Social engineers can and will either request your help with information or offer to help you, often as posing as tech support.
As you can see, a little common sense can go a long way to stop online scammers. But stay vigilant! Social engineers are called con artists for a reason – they can make anyone believe almost anything.