First off, what is social engineering? Social engineering in a security context is a means to get an unknowing victim to divulge information. Typically, social engineering is used to gain access to confidential information or computer systems without the need for hacking or other types of malicious software. Social engineering attacks can range from the extremely simple to very complex scenarios in attempts to trick victims.
At the basis of all social engineering techniques is some form of deception or trickery. The social engineer will present some information to the victim which the victim believes is true. The victim lets their guard down and in doing so may divulge information the attacker was seeking.
Below, we will cover some of the more popular forms of social engineering along with ways to fight back.
Phishing is one of the top online threats out there today. In this scenario, the social engineer crafts an email and possible website to make it look like a business site (See Figure 1 and 2 – both examples of phishing emails). For the purposes of this example, let’s say it’s for a large national bank. The email may warn users about a potential security threat to their account or unauthorized usage. The email asks the user to click on a link to log into the bank’s website and reset their password. The attacker sends out the email to large numbers of people (casting the net – looking for “fish to bite”). When the victims receive the email, many of them may realize they don’t have accounts at this bank so they delete the email. Some victims may receive the email and suspect trickery so they’ll wisely delete the email. Unfortunately, a small percentage of people will click the link and enter the information they are asked for.
This gives the attacker instant access to these victim’s accounts.
- If you receive a notice from one of your institutions and you have a gut feeling the warning or issue may be legitimate, use a phone to call and talk to an account rep – don’t click on the links in the email.
- Never click on a link in an email to change your password. If you do want to change your password, go directly to the web site and change it.
- Realize that most companies will not simply send you an email if you have account issues. For example, if your credit card company suspects unauthorized usage, they are going to call you – not send an email.
- Additional information can be found in my articleon the Top Tools to Spot a Phishing Scam.
Pretexting is a more focused social engineering effort compared to phishing where you hope to get at least one person to bite. Pretexting involves the social engineer gaining some bit of information about the victim or the business they are going to victimize. They call into to the business and make false claims – that they are calling from a close vendor or maybe the local telephone company. They may ask their victims to reveal passwords or other confidential information. A high profile case of pretexting occurred in 2006 in which HP hired private investigators to investigate a large leak of confidential information. The private investigators impersonated HP board members and several journalists in attempts to gain call records and other personal information. More information on this case can be read here.
- Never give out passwords or other confidential or proprietary information to parties you have not cleared.
The old adage that you should never trust a stranger certainly applies to technology and protecting you and your business’s private information.