Overview

A common misconception about cyber attackers is that they use only highly advanced tools and techniques to hack into people's computers or accounts. Cyber attackers have learned that the easiest way to steal your information, hack your accounts, or infect your systems is by simply tricking you into doing it or them using a technique called social engineering. Let’s learn how these attacks work and what you can do to protect yourself.

What is Social Engineering

Social engineering is a psychological attack where an attacker tricks you into doing something you should not do through various manipulation techniques. Think of scammers or con artists; it is the same idea. However, today’s technology makes it much easier for any attacker from anywhere in the world, to pretend to be anything or anyone they want, and target anyone around the world, including you. Let’s take a look at two real-world examples:

You receive a phone call from someone claiming to be from the government informing you that your taxes are overdue and that if you do not pay the right away you will be fined or arrested. They then pressure you to pay over the phone with a credit card, gift card, or wire transfer warning you that if you don’t pay you could go to jail. The caller is not really from the government, but an attacker attempting to trick you into giving them money.

Another example is an e-mail attack called phishing. This is when attackers create an e-mail that attempts to trick you into taking an action, such as opening an infected e-mail attachment, clicking on a malicious link, or giving up sensitive information. Sometimes phishing e-mails are generic and easy to spot, such as pretending to come from a bank. Other times phishing e-mails can be highly customized and targeted as attackers research their targets first, such as a phishing e-mail pretending to come from your boss or colleague. Keep in mind, social engineering attacks like these are not limited to phone calls or e-mail; they can happen in any form including text message, over social media, or even in person. The key is to know what clues to look out for.

Common Clues of a Social Engineering Attack

Fortunately, common sense is your best defense. If something seems suspicious or does not feel right, it may be an attack. The most common clues include:

  • A tremendous sense of urgency or crisis. The attackers are attempting to rush you into making a mistake. The greater the sense of urgency, the more likely it is an attack.

  • Pressure to bypass or ignore security policies or procedures you are expected to follow at work.
  • Requests for sensitive information they should not have access to or should already know, such as your account numbers.
  • An e-mail or message from a friend or coworker that you know, but the message does not sound like them - perhaps the wording is odd or the signature is not right.
  • An e-mail that appears to be from a coworker or legitimate company, but the e-mail is sent using a personal e-mail address such as @gmail.com.
  • Playing on your curiosity or something too good to be true. For example, you are notified your package was delayed, even though you never ordered a package or prize in a contest that you never entered.

If you suspect someone is trying to trick or fool you, do not communicate with the person anymore. Remember, common sense is your best defense.

Subscribe to OUCH! and receive the latest security tips in your e-mail every month - www.sans.org/ouch.