Social engineering is the term used to describe many methods of stealing personal information and manipulating people to hack their private or corporate accounts. Many scams and cybercrimes fall into the category of social engineering, particularly phishing, but social engineering mainly indicates some level of personal manipulation. Personal manipulation can include calling people over the phone or developing a basic connection with them over social media. Cyber manipulation could mean sending malicious files via email or stealing someone’s personal data to access an account or a building. But these types of manipulation aren’t siloedâ€”many scams fit multiple categories of social engineering.
Basic characteristics of social engineering
Pressure: excessive capitalization or an urgent tone are ways that cybercriminals put pressure on their victims. If they can convince you to act quickly, you may not pause to wonder if the request is genuine.
Time constraint: a malicious party will make you believe you are missing out by warning that an offer ends soon or saying that you need to update your account as soon as possible, even if the target is your bank account and you’ve never received an email like that from them before.
Targeted manipulation: good hackers do their homework, and they may know what stores you love or other relevant personal information just from stalking your social media or your LinkedIn account. This will allow them to tailor a scam more successfully.
Methods of social engineering
Phone calls: criminals will pretend to be from a trusted organization, such as your bank or a car dealership, and claim that you have a sudden financial reward or need to make a decision regarding your vehicle’s warranty (even if you don’t have one).
Emails: sometimes these are obviously fraudulent, but criminals are becoming more sophisticated. They can imitate your company’s email (“spoofing“) and pretend to be a high-level executive or hack a friend’s email and send malicious files. Once a file is downloaded, it installs malware on a user’s computer.
Social media: criminals may send messages with viral links through sites like Facebook, particularly if they’ve hacked a friend’s account and that friend is supposedly sending you videos or documents. These often show up as direct messages to increase the likelihood you will click on the link.
In-person: sometimes criminals will try to use your credentials to slip into your organization’s physical site. This may not be as common, but it’s a valid concern for large corporations, particularly those in government, finance, and healthcare, where sensitive information might be endangered if a criminal is on-premises.
Avoiding social engineering tactics
Anything for which you didn’t sign up: if you receive a call or email stating that you’ve won something, but it’s a contest you’ve never heard of or registered for, that is an immediate sign of fraud.
Anything unexpected or urgent: if an email or call is overly pushy or warns you not to miss out, that is suspicious. Most legitimate advertisements or paid plans are much more calm and give you plenty of notice ahead of time.
Any financial requests that haven’t been verified: many scams have been carried out successfully because employees believed they were handing over money to their employer, when it was a criminal using a spoofed company email address. If you receive a random request for money, contact the person directly through a channel you know you can trust (such as a personal phone call or text or through secured company communication channels).
Any call or message requesting login information: most legitimate companies will never do this. Think about itâ€”has your bank ever called you and asked for your username or password? No, and they won’t anytime soon.
Any email or message with a link: these may be legitimately from a friend, particularly if you’ve talked recently with someone and know that they planned to send you something. But always hover over the link to see the true address or type the address directly into your browser.
Any unknown person attempting to enter your workplace: scammers attempting to steal information from a physical site will play on the kindness of strangers who will open doors and usher strangers into the work site without proper credentials. This entryâ€”also known as ID-surfingâ€”can be prevented by requiring each individual to scan an ID or register as a guest to enter and leave the premises.
Any identifying company information when off-site: company employees should remove ID tags and conceal lanyards in a pocket or bag when leaving the work site. This will help prevent outsiders from learning your name and the company you work for while you sit at a coffee shop. Keeping these two pieces of information private increases the amount of work a criminal must do to attempt to steal company information.