Social engineering is the art of
manipulating people so they give up confidential information. The types of
information these criminals are seeking can vary, but when individuals are
targeted the criminals are usually trying to trick you into giving them your
passwords or bank information, or access your computer to secretly install
malicious software–that will give them access to your passwords and bank
information as well as giving them control over your computer.
Criminals
use social engineering tactics because it is usually easier to exploit your
natural inclination to trust than it is to discover ways to hack your
software. For example, it is much easier to fool someone into giving you
their password than it is for you to try hacking their password (unless the
password is really weak).
Common social engineering attacks
Email from a friend. If a
criminal manages to hack or socially engineer one person’s email password they
have access to that person’s contact list–and because most people use one
password everywhere, they probably have access to that person’s social
networking contacts as well.
Once
the criminal has that email account under their control, they send emails to
all the person’s contacts or leave messages on all their friend’s social pages,
and possibly on the pages of the person’s friend’s friends.
These messages may use your
trust and curiosity:
- Contain
a link that you just
have to check out–and
because the link comes from a friend and you’re curious, you’ll trust the
link and click–and be infected with malware so the criminal can take over
your machine and collect your contacts info and deceive them just like you
were deceived.
- Contain
a download–pictures,
music, movie, document, etc., that has malicious software embedded. If you
download–which you are likely to do since you think it is from your
friend–you become infected. Now, the criminal has access to your machine,
email account, social network accounts and contacts, and the attack
spreads to everyone you know. And on, and on.
These messages may create a compelling story or pretext:
- Urgently
ask for your help–your ’friend’ is stuck in country X, has been robbed,
beaten, and is in the hospital. They need you to send money so they can
get home and they tell you how to send the money to the criminal.
- Asks you to donate to their
charitable fundraiser, or some other cause – with
instructions on how to send the money to the criminal.
-
- Urgently ask for
your help–your
’friend’ is stuck in country X, has been robbed, beaten, and is in the
hospital. They need you to send money so they can get home and they tell
you how to send the money to the criminal.
- Asks
you to donate to their charitable fundraiser, or some other cause – with
instructions on how to send the money to the criminal.
Phishing
attempts. Typically, a phisher sends an e-mail, IM, comment, or text
message that appears to come from a legitimate, popular company, bank, school,
or institution.
These messages usually have a scenario or story:
- The
message may explain there is a problem that
requires you to "verify" of information by clicking on the
displayed link and providing information in their form. The link location
may look very legitimate with all the right logos, and content (in fact,
the criminals may have copied the exact format and content of the
legitimate site). Because everything looks legitimate, you trust the email
and the phony site and provide whatever information the crook is asking
for. These types of phishing scams often include a warning of what will
happen if you fail to act soon, because criminals know that if they can
get you to act before you think, you’re more likely to fall for their
phish.
- The
message may notify you that you’re a ’winner’. Maybe the email
claims to be from a lottery, or a dead relative, or the millionth person
to click on their site, etc. In order to give you your ’winnings’ you have
to provide information about your bank routing so
they know how to send it to you, or give your address and phone number so
they can send the prize, and you may also be asked to prove who you are often including
your Social Security Number. These are the ’greed phishes’ where even if
the story pretext is thin, people want what is offered and fall for it by
giving away their information, then having their bank account emptied, and
identity stolen.
The
message may ask for help. Preying on kindness and
generosity, these phishes ask for aid or support for whatever disaster,
political campaign, or charity is hot at the moment.
How do you avoid being a victim?
- Be suspicious of unsolicited phone calls, visits, or email
messages from individuals asking about employees or other internal information.
If an unknown individual claims to be from a legitimate organization, try to
verify his or her identity directly with the company.
- Do not provide personal information or information about your
organization, including its structure or networks, unless you are certain of a
person's authority to have the information.
- Do not reveal personal or financial information in email, and do
not respond to email solicitations for this information. This includes
following links sent in email.
- Don't send sensitive information over the Internet before
checking a website's security.
- Pay attention to the URL of a website. Malicious websites may
look identical to a legitimate site, but the URL may use a variation in
spelling or a different domain (e.g., .com vs. .net).
- If you are unsure whether an email request is legitimate, try to
verify it by contacting the company directly. Do not use contact information
provided on a website connected to the request; instead, check previous
statements for contact information. Information about known phishing attacks is
also available online from groups such as the Anti-Phishing Working Group.
- Install and maintain anti-virus software, firewalls, and email
filters to reduce some of this traffic.
- Take advantage of any anti-phishing features offered by your
email client and web browser.
