Cybersecurity: 3 ways to spot the social engineering tactics used by cyber criminals
When it comes to cyber security, even the strongest information security systems are vulnerable when the people accessing those systems are tricked into giving away their passwords and login credentials.
“Social engineering” is the process by which criminals exploit our basic human urge to respond to urgent requests, be useful or help out a friend in need, to lure us into providing information that can be used to commit financial fraud.
Social engineering is the term used for a broad range of malicious activities accomplished through human interactions. It uses psychological manipulation to trick users into making security mistakes or giving away sensitive information.
Social engineering attacks happen in one or more steps. A perpetrator first investigates the intended victim to gather necessary background information, such as potential points of entry and weak security protocols, needed to proceed with the attack. Then, the attacker moves to gain the victim’s trust and provide stimuli for subsequent actions that break security practices, such as revealing sensitive information or granting access to critical resources.
Rather than using technical hacking techniques to conduct a cyber security attack, social engineers use manipulation and human psychology to spin a story that they hope we’ll believe.
Social engineering scams can take many forms, but a few common ones include:
- phishing or smishing – cyber criminals send you an email or text that attempts to trick you into volunteering information and/or to install malware on your computer by sending you infected links or attachments. For example, criminals are taking advantage of the pandemic to send phishing and texting scams capitalizing on fears and anxiety about COVID‑19.
- vishing or voicemail phishing — a fraudster calls you on the phone and tries to trick you into revealing sensitive information like your password, threatens you about phony debts that you owe, or attempts to trick you into paying a fee or debt with gift cards.
- email hacking — a criminal hacks into your email account and sends emails to your friends and family to trick them into clicking on links or sending money for bogus emergencies. When targeted at businesses, as in Business Email Compromise fraud, email hacking is just one of the tactics cyber criminals use to attempt to trick unsuspecting employees and executives.
- Baiting — a cyber criminal leaves a malware-infected portable drive in a public place with a tempting label like “confidential” that downloads infected software to your computer when you plug it in.
3 ways to spot social engineering techniques
- Using fear as a motivator. Sending threatening or intimidating emails, phone calls and texts are other techniques social engineers will use to scare you into acting on their demands for personal information or money.
- Suspicious emails or texts that include urgent requests for personal information is a major red flag that that someone is trying to trick you.
- Too-good-to-be-true offers or unusual requirements. If an online contact offers you free access to an app, game or program in exchange for login credentials, beware. Similarly, free offers online can often contain malicious code.
How to protect yourself
- Be suspicious of requests for your personal information. Remember, your bank will never send you an email, or call you on the phone, asking you to disclose personal information such as your password, credit or debit card number, or your mother’s maiden name.
- Install anti-virus, anti-spyware and Internet firewall tools purchased from trusted retailers or suppliers. Keep these programs enabled and continuously updated to protect your devices against malicious software. For example, tools such as Google Titan security keys can also be used as ultra secure methods of two-factor authentication for some online services over USB-A, NFC, or Bluetooth.
- Be wary of downloading free apps, files, programs, software or screensavers — malicious code, like spyware (that secretly monitors what you do online) and keystroke loggers (that secretly track what you are typing) can be hidden within the downloaded file or app and used to access personal information, such as login credentials.