- January 29th, 2014
Social engineering is sneaky, as it takes advantage of our natural tendency to be helpful. Social engineers can also play upon human emotions, such as fear and sympathy. Here are some tricks social engineers employ to trick you out of sensitive data, and how you can protect yourself.
You are in the office and an electrician comes to fix a problem. Or your phone rings and it’s your ISP informing you of a problem with your account.
It’s human nature to cooperate, right? You let the electrician in and let him do what he needs to do. You answer questions the customer service agent asks to verify your identity. Unfortunately, instead of being helpful, you’re now a victim of social engineering. The electrician has installed a rogue router or stealth cameras in your office. The fake customer service representative has learned your personal details, your account credentials, or even your credit card information.
Social engineering refers to techniques people use to manipulate others into performing certain tasks or revealing certain types of information. Cybercriminals and thieves take advantage of the natural human desire to be helpful and to believe what people say. These scammers don’t need to bother with sophisticated hacking techniques or malware exploiting a software vulnerability when they can just email a malicious attachment and ask the recipient to open the file.
Social engineering is not anything new, as there have always been scam artists working elaborate cons and hoaxes. What is new, is the amount of information these scammers can collect about their targeted victims before even starting the attack. Thanks to social networking sites, they can find out all kinds of things, such as where their targeted victims work, the names of their colleagues, what school the target attended, and even where the person last went on vacation. They can find the company’s organization chart or find out what kind of software the company is using. They can use all this information to convince the victim they are telling the truth.
Human Nature to Help
DefCon, the biggest hacker convention, conducts a social engineering “Capture the Flag” competition each year. Participants are given a few weeks to research the target company. In previous years, targets have included Apple, Johnson & Johnson, and others. On the day of the competition, the contestant steps into a booth and calls a person at the company and attempts to trick the person into revealing “flags,” such as what version of the browser the company is using or what software is installed on the computer. Many times the contestants pretend to be colleagues at a different office trying to gather information for the CEO and really needing the help because they are completely overwhelmed. For the most part, people want to help and offer the information freely.
Fear is Lucrative
The scammers are good at selling fear. A popular scam has the caller calling from Windows Help Desk or some other Microsoft-sounding department because there was a problem on the user’s computer. The caller asks the user to type in some standard commands on the computer and explains that the resulting output is actually evidence of malware and other serious issues. At this point, the user is convinced something is wrong and will hand over their credit card information for the “representative” to fix the problem.
Verify, Verify, Verify
If someone calls claiming to be from some official capacity, ask for proof. Ask for an extension number so that you can call back. If the person is claiming to be an employee from a different office or from a supplier, ask for some kind of verification to confirm that person’s identity. If it’s law enforcement, ask for a badge number. If these are legitimate callers, they will provide that information without hesitation.
Don’t give in to the “you have to act in the next 20 minute” pressure. There is always time to research and to think things through.
Always be skeptical of situations where the person is proactively contacting you about a problem. No legitimate company will ever ask you for your password, and the government will always send a letter for official communications. And if you suddenly get a call from a friend or a relative claiming they are stranded in a foreign country and need some money wired to them, don’t just believe it because the person knows the name of your siblings or the name of your dog.
Be aware of what you share online, and take advantage of the privacy control settings. There are certain things you should never provide online, such as your password, answers to security questions (like your mother’s maiden name), and your Social Security number.
You can still be helpful, but take the time to question and evaluate everything. A little dose of skepticism never hurts, and it can make a huge difference when it comes to cybercrime.