Clever hackers are getting so devious that even IT folks fall for their ploys. Learn how to identify and avoid social engineering attacks.
Social engineers prey on human nature, attacking people’s vulnerabilities—fear, greed, naiveté, and kindness—to get what they want.
And what do they want? Your money, your credentials, your intellectual property, your contact list….
It’s easier to manipulate humans than it is to figure out how to hack your software. This makes social engineering attractive to crooks.
Tricksters may strike via phone, phishing emails, snail mail, and even in person. And they’re alarmingly effective. Every year, victims pay a huge price in the form of financial loss, identify theft, and/or reputation smear.
Social engineering requires human cooperation. The person on the receiving end must click a link, open a document, divulge information over the phone, or do whatever else the scammer requests.
While important to have, all the firewalls, anti-virus software, and spam filters in the world won’t protect your school if a staff member or student inadvertently trusts a shyster.
That’s why educating users is critical—and training should be mandatory.
Showing them what to look for will help your school or organization thwart social-engineering attacks that can open up a can of malware, ransomware, theft, and more.
3 Telltale Signs of Social-Engineering Attacks
These have “scam” written all over them.
If you’re being pressured to act immediately “or else” (your account will be disabled, your delivery won’t arrive), don’t take the bait. Swindlers use urgency to frighten victims into swift action.
Slow down and do your research. Cybercriminals want you to act without thinking.
When in doubt, open a new browser window (do not click on an email link), go to the company’s website, and contact customer support via the published phone number or email address.
Delete any messages that request password or other private information.
2. Too Good to Be True
You’ve just scored an all-expense-paid trip to Aruba! You just won the Jamaican lottery! All you have to do is “click here” to pay the taxes. Hit delete.
3. Strange Pleas for Help
Your friend is stranded in London and was robbed of all her money. She reaches out for help and tells you how to send funds. Hit delete.
5 Ways Crooks Launch Social-Engineering Attacks
Here are a few good old standbys:
1. By Email
Some phishing emails are easier to identify than others. Poorly written messages from Saudi princes are obviously bogus. But when scammers swipe corporate logos/designs from reputable companies and craft well-worded messages, they can easily fake out readers.
Scammers might hack your friends’ and colleagues’ email accounts and send messages that look real, too.
Advice: Be extremely vigilant before you click on or open anything in an email, IM, or text message. Make absolutely sure it’s from the person or organization it claims to be from. Set your spam filters to high.
2. By Phone
Just get a call from Windows tech support, offering to fix your sluggish computer?
Legitimate tech-support departments rarely initiate calls out of the blue to help customers. They wait for users to contact them.
If the call originates in your school, double check that the person is legitimate before you start doling out passwords and other personal details.
- The operating system’s last updates needs to be verified
- Your system is incorrectly configured
- Load times are slow
- We detect malware on your computer
Advice: Be suspicious of unsolicited callers offering technical support, new insurance policies, refinancing deals, help restoring credit scores, etc. Hang up if they ask for private info (login credentials, birthdate, Social Security number, and so forth).
ALERT! Several IRS scams are making the rounds. Callers threaten to have you arrested, request you pay back taxes via credit card, or try to con you out of money in other ways.
These swindlers used to target senior citizens and new immigrants with poor English skills—but now everyone is fair game. People in all fifty states are falling for the IRS hoax.
Advice: If you don’t owe taxes, report the call to TIGTA (Treasury Inspector General for Tax Administration) at 800-366-4484 or fill out this IRS Impersonation Scam Reporting form.
(If—on the off chance—you do owe taxes and are concerned, call the IRS for assistance: 800-829-1040.)
3. In Person
Social engineers can dress the part: They don uniforms, carry clipboards, and pose as inspectors or tech specialists who install (dirty) software or glean critical information from users.
If anyone suspicious shows up at your workstation, contact security.
Don’t let anyone “tailgate” you into a building where passes or door buzzers are required for entry.
5. Via USB Sticks
An oldie but goodie, the stray USB stick remains a highly effective tactic. Someone spots a “lost” stick lying around and plugs it into his computer to find out who owns it.
Perhaps it’s labeled with something tempting, like “Salary Info,” which the finder can’t resist investigating.
After clicking a few things, malware is unleashed.
Bad apples may distribute free USB sticks so you can see their new music video or access a cool tool they designed. Except what’s inside is not entertaining: It’s a virus.
Advice: Don’t let a USB stick come near your computer unless you’re 100 percent sure it’s legit and clean.
5. On Social-Media Sites
Scammers post links leading to malicious sites or IM users infected attachments. Read all the dirt on our blog post, “Malware on Social Media: It’s Spreading.”
Make sure your system is well defended against attackers with the right equipment (strong firewalls, filters, and anti-virus software). But don’t forget the human component. It’s your weakest link!
- Stay current on hucksters’ tricks and tactics by visiting websites like this info-packed social engineering portal from Social-Engineer, Inc.
- 23 Social Engineering Attacks You Need to Shut Down
- IRS Tax Scams/Consumer Alerts