Social engineering is something you might not have heard of, but you have probably experienced at some point. Ever received an email that is supposedly from your bank but isn’t? That’s social engineering in action.
It’s an innovative way that malicious actors gain access to your personal data, and also money, that is incredibly difficult to prevent. In this article, we will dive into what social engineering actually is, the most common types of hacks, and how you can avoid being a victim.
The term social engineering originates from the famous hacker Kevin Mitnick, although the technique itself has been around for a long time. In essence, social engineering is the art of manipulating people into giving up valuable personal information or access to devices and buildings. In these cases, hackers are usually trying to get your log-in details or bank/credit card details so that they can take your money.
Criminals use social engineering because it is far easier to manipulate someone's trust than it is to hack into someone’s computer or execute a data breach. Our natural inclination is to trust someone; it is the backbone of many aspects of our lives, and it is surprisingly easy to manipulate.
A social engineering hack usually goes like this. The hacker will first prepare the ground for their attack. This may involve doing some research into their target, including determining the best method to conduct their approach.
Next the criminal will begin deceiving their victim using a foothold, usually some type of story. Sometimes the hacker will take a long term approach, and interact with their victim several times before executing their hack. Once the hacker has the information they want, they bring their scheme to a natural end and remove all traces of what they’ve done.
What makes social engineering so effective is that it relies on human error rather than technology. Human mistakes are a lot harder to thwart than malware.
There are three types of social engineering hacks: in-person, on the phone, and digital. We’re going to cover each one, including the most common types of hacks.
These tactics are normally used to gain access to a building or devices. Typically the criminal will pretend to be an employee or service technician of some kind. The perpetrator will then be able to enter a secure building and/or be able to access computers, phones, servers, etc.
The hacker will then directly use devices to install things like malware. Alternatively, they may also leave something behind like a USB with malware on it. Most people will plug in a USB to see what is on it, and by the time they do, their computer has been compromised.
You have probably already experienced this type of hack. A criminal will call you pretending to be someone in a position of authority, a relative, your bank, or an employee from a service company or charity. They will then convince you to hand over sensitive information like your bank details, login information, passwords, and more. Occasionally, the criminal will catfish their victim, maintaining a relationship in order to get their victim to send them money.
This is a scam that overwhelmingly targets senior citizens, and unfortunately, they are quite successful. The most common is when a criminal pretends to be the grandchild of their target and requests money in order to get out of a tricky situation like jail or being stuck in another country.
Recently, the FBI helped take down a ring of criminals who were phoning people and telling them that they had kidnapped their child. Victims were told that they needed to pay a large sum of money to get their child back. What made it so effective was another person in the background screaming for help. While it didn’t work every time as the criminals were cold calling people, it worked well enough for them to walk away with a large profit.
This type of social engineering hacks are probably the most common these days. We’ve all received suspicious emails asking us to download something or submit personal information. Most of the time, we know to ignore them, but criminals are getting better at hiding their methods.
Phishing scams are by far the most common. Generally, hackers will email you from a seemingly legitimate email address. They might even use the logo of the company they are trying to impersonate, and model their emails closely on the ones you normally receive. The key here is to check the email address. Usually there is some small typo, an extra character, or change in domain (for example .biz instead of .com).
What makes phishing scams work (some of the time) is that they create a sense of fear, urgency, or curiousity. These are powerful emotions. If you receive an email that looks like it is from Netflix telling you that you need to update your billing information, your natural inclination is to do what the email says. Malicious actors are counting on you not taking a closer look.
There is another type of phishing called spear phishing. The premise is the same, but requires a lot more work on the part of the hacker and has a great reward. Spear phishing is personalized to the victim of the attack, and the criminal puts in a lot of time and effort into making themselves appear legitimate. Criminals find all the personal information they can about their target in order to trick them into installing malware or handing over personal data.
Another common digital social engineering hack is scareware. This involves victims being bombarded with warnings and false alarms claiming that there is some type of threat. Typically, victims are told that their computer is infected with some type of malware and that they need to install some type of software to fix the problem.
Social engineering plays off of your emotions, so it can be difficult to stop. That being said, there are a number of things you can do to prevent yourself from becoming a victim:
It is highly likely that social engineering hacks will continue to develop given their current effectiveness. In fact, the second half of 2018 saw an increase of over 500% in social engineering attacks. A big part of prevention is awareness, so it is important that we talk about social engineering and warn others about it. Given that the elderly are so susceptible to these types of attacks, more work should be done to inform and protect senior citizens.
Even government agencies can fall victim. In 2016 the Department of Justice fell victim to a social engineering hack which led to tens of thousands of employees having their data leaked. It’s hard to believe that a government body would fall for such a scheme just a few years ago.
Criminals are constantly adapting, and it is vital that we take a proactive approach to protecting our personal data. If not, you could end up not only losing control over your personal information, but could also lose a lot of money too.