Social engineering has been around forever, it just wasn’t called by such a hi-tech name in the past. Being flimflammed, scammed, or taken advantage of by a trickster all have the exact same base in deception as today’s email phishing and social phishing attacks do.The term “social engineering” simply means using psychological and deceptive tactics to get someone to do what you want, which in today’s world is typically divulging a password or credit card number, clicking a link to a dangerous website, or downloading a malicious email attachment. This type of scamming is so prevalent that phishing accounts for a majority of data breaches. 76% of businesses reported being the victim of phishing last year, and attacks have grown by 65% in the last 12 months. While email security protections like anti-phishing software can help significantly to reduce the damage of social engineering attacks, they also come in other forms, such as over social media, by phone, and by text message. But if you know what to watch out for and adopt good personal security practices, you can avoid becoming a victim.
Examples of Social EngineeringNothing helps a social engineering scammer more than being able to dig up all types of personal information about you. Social media oversharing has become a national pastime and we make all types of information public that someone can use to try to gain trust or guess your online banking login password. The types of things a crook can find on social media include:
- Where you live (turn off geotagging!)
- Where you work and have worked in the past
- Where your kids go to school
- Your birthdate (and family members’ birthdates)
- Your favorite bands
- Your pet’s name
- Your political affiliation
- How you spend your free time
- (and so much more!)
Phone ScamThis is one of the older versions of social engineering and pre-dates computers. These types of social engineering scams now use computerized systems to automate the attacks and have updated them to hit today’s hot button topics that will elicit an emotional (act before you think) response. You might receive a call from “your bank” saying there has been fraudulent activity on your debit card and they ask you to verify your card number and PIN so they can remove the fraudulent charge. It’s actually a scammer just trying to steal your credit card number.
Phishing ScamThis is by far the most common and something just about everyone on the planet has experienced. This type of social engineering has also evolved from the Nigerian millionaire scenario to receiving an email that looks like it’s from a trusted source, like UPS or AT&T, using their logos and signatures, but containing a link that leads you to a malicious website that can download malware onto your device.
Text ScamThe text scam usually employs the use of an online work directory listing, for example on LinkedIn. They’ll choose a high position staff member to impersonate, then email a lower position employee with something like, “This is Joe Smith, I’m at an important meeting, no time to call, I need to get into OneDrive to grab a file and don’t have my login details, please send a login I can use immediately.” The text of course is not really from the person they’re claiming to be. The scammer is trying to use your natural desire to follow a manger’s orders and throws in urgency to get you to act before questioning anything.
Social Media ScamHave you ever received a friend request from someone you didn’t know? When looking at their profile, you see it mainly includes photos of them, or photos of them with a dog, them in a military uniform, etc., anything to gain your trust but also tell you nothing. That’s a big red flag. Social engineering scammers prey on people often on social media by “friending” them, striking up DM conversations with them based upon details they see on the victim’s social media, then once they’ve gained their trust they perpetrate some type of scam to get money or sensitive information.
Tips to Keep from Becoming a Social Engineering VictimYou may not be able to stop the scammers from trying, but you can employ good personal security practices and cybersecurity protocols to keep you from becoming a victim of a social engineering scam. Here’s how:
- Enable privacy settings on social media accounts so they’re not “public”
- Change settings to stop sharing on the photos and posts you make (so they can’t be shared on someone’s public timeline)
- Always question any texts or emails that are out of the ordinary from people you know (ask them in person or via video call if it is really from them)
- Only trust emails that you know are from a legitimate email address (check source code)
- Never click on a link without first hovering over it to reveal its true URL
- Don’t give out any sensitive information over the phone (credit card number, PIN, etc.)
- Take a “zero trust” stance when it comes to social media friend requests, emails, and calls from unknown parties (always assume it could be a scammer, until proven otherwise).
- Resist emotions-targeted tactics, like saying your account will be suspended if you don’t act immediately, etc.
- Use anti-phishing and web protection software to help backstop you