Sometimes it takes a close call or bad experience to really hammer it home. The concept of identity theft is nothing new. To put it in perspective, my step-dad had his identity stolen, and didn’t even know it. He was targeted by a social engineering attack and forked over several hundred dollars during the scam and didn’t realize he was a victim until I sat down with him to help speed up his aging computer.
What is social engineering?
Social engineering attacks, like any con, are based on psychological manipulation to incite victims to give up money and sensitive, confidential information. An example given by Wikipedia (yes, we use Wiki too), might be someone who walks into a building and posts an official-looking flyer on the company bulletin that announces a new phone number for the help desk. When employees call for help, the criminal might ask for passwords and other corporate login credentials. This opens access to the company’s private information. Another example of social engineering might involve a hacker contacting their target on a social network, such as Facebook. They start a conversation and gradually gain their target’s trust, then use that trust to get access to sensitive information.
Why? Because $$$.
Motives typically involve some kind of financial gain, though some attackers choose victims for personal reasons, such as revenge. In my step-dad’s case, it all started with that slow computer. He signed up for a sketchy PC cleaner tool to get rid of viruses and speed things up, after which he was targeted through a phishing scam. This attack resulted in him paying the attacker sums of $150 to $300 on various separate occasions.
What are the most common types of social engineering attacks?
Phishing: These attacks can include scenarios like the aforementioned, but may also be more targeted. Spear phishing attacks are more sophisticated and can include customized email sends or targeted ads that require a bit more research on the attacker’s part.
Watering hole: In a watering hole attack, user-groups are specifically being targeted. For example, attackers would research specific employees that visit niche websites and then host malware specifically targeting these employees.
Baiting: Just like the term suggests, baiting attacks involve offering victims something they want. Most often, these appear on peer-to-peer sharing sites where you can download or stream those hot new movies or Beyonce tracks you’ve been hearing about. The risk is that you may be downloading malware instead of, or in addition to, the files you actually want. Baiting can also include too-good-to-be-true online deals or fake emails with answers to questions you never asked on any forums.
Who and what to trust
Social engineering attacks are limited only by the attacker’s imagination. But, that means knowledge is your greatest tool against evolving cyber threats. I’m not suggesting you turn paranoid, but if something online strikes you as a little off or too good to be true, question it. Don’t remember sending a package or signing up for a contest? Then don’t click the “track my package” or the “Congrats, you’re a winner!” links.
Phishing and baiting tactics have been used in recent employment scams targeting recent college graduates. Whether you’re on social media, applying for jobs, or simply surfing the web, always think before you click, do your research, and visit HTTPS sites through a secure search engine, not via email or social media links.