We’re constantly told to beware of the hackers and scammers out there, but there is a new type of fraudster to watch out for: social engineers. Social engineering is the clever manipulation of the natural human tendency to trust. These fraudsters are cunning and turn our human nature against us to gain access to money, valuable data, and sensitive information. These attacks have become increasingly popular, and falling victim to one can have serious consequences for both individuals and corporations. Since humans are now being targeted – not just machines – it’s important to be educated and know the signs of these cyber crimes so you can avoid them. These are the four types of social engineering attacks you should know:
Phishers pose as trusted people or institutions and request sensitive information through email. Fraudsters can phish, or collect passwords, bank account numbers, credit card numbers and more by asking recipients to click on links to malicious websites with URLs that appear legitimate. They can also urge users to download attachments with viruses or spyware and attack real websites by routing the URL to a malicious IP address that looks valid. “Official” emails that have spelling errors or emails that request password confirmation and other personal information can be signs of phishing.
Pretexting is building a false sense of trust to trick a user into sharing information. Fraudsters pretext by using convincing stories to obtain personal information either through inbound phone calls, email, postal mail, or in-person visits. Often times, fraudsters pretend to be a survey company, bank, government agency, IT support, estate attorneys, or someone requesting help from a foreign country. They are typically seeking your social security number, tax ID number, bank name, brokerage name, credit card issuer name, phone company, mother’s maiden name, pet’s name, or child’s name. The last two items in that list are often the answers to password recovery questions.
Spoofing occurs when a social engineer impersonates a board member or vendor to trick a user into action. When spoofing, fraudsters can use emails or phone calls, and they leverage the authority of the individual being impersonated to make urgent demands, which often include clicking a link or attachment that downloads malicious software onto your device, wreaking havoc on your critical applications and operating system.
When a fraudster tricks a user into infecting their own computer with a virus or malware, that is baiting. This is typically done through the promise of an item or good, such as music or movie downloads, in exchange for personal information. Exploiting curiosity through physical media can also be a baiting attack; for example, a scammer might leave a thumb drive in a public place in the hopes that someone will put it in their computer to look at files it contains.
In order to avoid cyber attacks, you should always slow down and think before you act. Here are some helpful tips:
- Always utilize known phone numbers for your contacts to check on the legitimacy of a communication, not the number provided in an email.
- Be very careful when answering surveys – never provide sensitive information or information that could be the answers to password recovery questions.
- If it sounds too good to be true, it probably is.
- Login only on HTTPS-protected sites.
- Never connect unknown devices to your computer.
- Lock your computer when you are away from your desk.
- Lock laptops, tablets, mobile devices, USB devices, etc. when not in use.