The easiest way to hack an IT system is by manipulating a user, rather than a machine. Social engineering allows hackers to gain access to data, systems, or buildings by exploiting human psychology. Cybercriminals can carry out social engineering attacks on the internet, over the phone, and in person.
What emotions do social engineering hackers exploit to attack their victims?
What are the types of social engineering attacks?
- Pretexting: The hacker will pretend to be someone you know, such as a co-worker. For example, the hacker may use a similar email address, and then urge you to look at their attached spreadsheet report immediately. Unfortunately, the spreadsheet contains malware, which will launch as soon as you open the file.
- Phishing: The hacker, posing as a legitimate organization, will urge the user to act quickly via email, such as entering login credentials on a data-stealing portal. For instance, a recipient could receive a request to verify their bank account information by clicking on an official-looking email and then entering their account number and PIN into their fake portal.
- Vishing: Like phishing but involves the hacker contacting the victim by phone instead. The hacker can pretend to be a co-worker who urgently needs the login information for client management software.
- Scareware: Hackers will trick their victims into thinking their computer has malware or that they downloaded illegal content. The hacker will then provide you with a bogus fix and then collect a fee for the service.
- Quid Pro Quo: Hackers will encourage the user to divulge confidential information in exchange for prizes or discounts. They use the information collected, such as birthdates and passwords, to commit fraud and steal your money.
- Baiting: The hacker will leave an external storage media, such as a USB drive or CD, where someone can easily find it. The media may have an enticing label, such as employee salary information. The user will then load the media onto their computer and unknowingly install malware.
- Tailgating: The hacker will lurk outside in an employee hang-out spot, such as a smoking area, and start talking to a group. When the group moves back into their secured building, the hacker will follow them inside. The hacker may even have a stolen or counterfeit badge they can use to enter offices and snoop through company assets.
How can you protect yourself from social engineering attacks?
- As always, make sure to inspect links closely on emails and text messages. Also, do not open unexpected attachments, especially from unknown recipients.
- If you get a random request for personal information, follow up with the source through a different communication method. For example, if you get an email from a co-worker to wire money to a vendor, follow up with a phone call.
- Do not call support phone numbers from random browser pop-ups. Close the browser to get rid of the message. If you have any doubts, call SwiftTech Solutions.
- Do not let anyone follow you inside a secure building unless you know it is a fellow tenant. Let them know you cannot let them in because of the building’s security policy and they should contact the company he/she is visiting to gain entry.
- Make sure desktop and mobile devices display a lock screen after five minutes of inactivity.
- Make sure to keep your social media accounts private and be careful of accepting friend requests from people you do not know.
- If you use an ID badge to enter the building, always keep it with you throughout the workday. If you lose the card, you will need to report the incident immediately to the issuing party, such as Human Resources or the building management.
- Trust your instincts. If something feels off, chances are you are correct.
What can you do if social engineers scammed you already?
- Contact SwiftTech Solutions immediately for assistance. Call 877-794-3811 or email firstname.lastname@example.org.
- Call your bank and credit card companies to report any fraudulent charges.
- File a complaint with the Federal Trade Commission (FTC). Email your information to email@example.com.