Social engineering is the technique involving manipulating people into giving away confidential information. Passwords to sites, banking information, credit card numbers, personally identifiable information. Anything goes.
The types of information criminals are looking for can vary of course, along with the techniques that are used to tricking people. Regardless, it all falls back to something for them to gain at your expense.
Criminals use these tactics over other methods because they are much easier to exploit since these attacks often involve a certain level of trust. Trust that people blindly give to people when the attacker positions themselves as an official, a friend or family member, or someone you wouldn’t think twice about.
These methods are easier than the alternative which usually entails cracking passwords – something that’s not the most effective unless your passwords are incredibly weak.
What Do These Attacks Look Like
Social engineering attacks are very flexible but they all follow a specific formula. When you are aware of them, you can prepare yourself to handle them appropriately. Here are common attacks and their tropes.
Email From A Friend
If a criminal manages to get ahold of an email password or social media of one of your friends, they can then pose as them and send emails and messages to the person’s contact list. What the actual message is doesn’t really matter but it all entails taking advantage of your trust and curiosity.
These attacks often:
- will have a link that they will send to you to click. These links could be links to videos or a site that will download malware onto your computer.
- Will have a download of pictures, music, movies, or documents that will contain malware that the hacker can then use as a gateway into your email, social media and contacts.
Email From Trusted Sources
These social engineering attacks are called phishing and there are different types of them that all end with the same result. Overall, these are specifically targeted but they all stem from third party sources – rather the attacker claims to be from those sources.
And these attacks can be pretty convincing with attackers posing as Microsoft employees, a representative of a government body or organization, or your own bank. These attacks:
- Create urgency. Your friend/someone you trust is stuck in a certain country, has been robbed, or in the hospital, or passed away. They need either money or some personally identifiable information in order to do X thing (pay medical bills, give you access to what they left in their will, etc).
- Uses phishing to post as a legitimate-seeming entity. Again they post as a school, popular company, institution, bank, or other trusted establishment.
- Ask to donate to a charity or other cause. Leveraging kindness and generosity, these attacks ask for support towards disaster relief, political campaigns or charity that’s been in the news lately.
- Presents an issue in which you need to “verify” information. Things like a bank saying your account has been breached and that you need to click on the link provided and enter your banking information to verify your identity.
- Notify you that you won a contest of some kind or won a lot of money. A family member passing away and leaving in their will that you have access to an off-shore bank account containing millions of dollars. Scenarios like that where you’ve “won” something.
- Pose as a boss or coworker. Scenarios like this involve sending emails containing documents you’ve requested or asking for updates on important projects or payment information pertaining to company credit cards.
Social engineering schemes where they dangle something other people want and many people take the bait. These are often found on Peer-to-Peer sites that offer things like downloading a new movie or music. These schemes are often on social media sites or you can find them through malicious websites you can find on search results.
The idea is to present them as amazingly great deals but when people go to buy it, they take the bait and download malicious software that can generate a number of new exploits against the victims.
Response To Questions You Never Had
Some criminals can pretend to be responding to help requests from companies that offer help to people. They pick companies that millions of people use – like software companies or banks. With these broad attacks, attackers will get duds as people don’t have services with those companies, but for others they may actually respond.
Even if they never sent in a request to begin with.
Attackers then ask for information from you so that they can “authenticate you”. This can be providing personally identifiable information, getting you to log into “their system” or something else.
The final form of social engineering is actually creating distrust. Starting conflicts and ultimately getting you to get angry so that they can step in and be the “good guy” in the discussion. This form of social engineering starts with gaining access to another email or users account by whatever means.
From there they:
- Alter sensitive or private communications (including pictures and audio) through basic editing skills and forwards these to people to cause drama, distrust, embarrassment, or other negative emotions. They may make it look like it was accidentally sent out or they position themselves as telling you what’s “really” going on.
- They can also alter material to extort the person they hacked or recipients.
Things To Remember To Prevent These Attacks From Happening To You
There are thousands of variations of these kinds of attacks and the only real way is to be vigilant about these things. This is on top of keeping in mind several other key points that I’ve mentioned below:
- Slow down as a general rule. Scammers prefer people to act on their instincts and think about things later. If the message conveys urgency or uses high-pressure sales tactics, it’s better to be skeptical about that rather than act on those pressures.
- Spend some time researching. Be suspicious of any messages that are unsolicited. If the email looks like it’s from a company you use, look into them. Use a search engine to find the company’s site, and contact info.
- Don’t click on links provided. You can always find the links people provide through search engines. Also hovering over links in emails will show actual URLs at the bottom. Fake URLs can still steer you wrong though.
- Remember email hijacking is common now. Unfortunately, people’s email passwords aren’t the strongest nor do many have two-factor authentication enabled. As a result, hackers, spammers, and scammers can break into emails, pose as that person and send out all kinds of emails and attacks on people.
- Be mindful of what you download. If a sender is sending you something to download and you don’t know them personally or expected a file from them, don’t download it.
- Foreign offers are fake. Foreign lotteries, sweepstakes, money from unknown relatives, or money transfers from foreign countries reek of a scam.
How To Be Better Protected
Beyond those things, there are 4 other actions you can take to be better protected.
- Delete any requests for financial information or passwords. Organizations or officials will never under any circumstance ask for personal information ever.
- Reject requests for help or offers of help. Legit companies and organizations don’t commonly send people direct messages asking for help.
- Set your spam filters to the highest level. Every email program has spam filters because so many emails are just spam emails. You can find these options through setting options. Also be sure to check periodically in there as there can be some legitimate emails getting trapped in there.
- Secure your devices. Two-factor authentication, anti-virus software, firewalls, email filters, and regularly updating these things can also keep these at bay. Also setting operating systems to automatically update can also be helpful too.
Mtek Digital Managed Business Service
Mtek Digital provides help with virtually any business technology requirement. From IT services to cybersecurity, we’re capable of servicing the tech industry throughout Canada. Contact us today.