Stay safe online – social engineering

If you’ve read our previous posts on choosing secure passwords and security best practices, you’re already well on your way to being safer online. However, there is one trick that scammers use to get past our defences that even the most clued-up users can fall for.

In this article, Dave explains social engineering techniques and how to avoid them.

What is social engineering?

Social engineering is a technique used by hackers to lure the unwitting user in to doing something to compromise their security. It involves playing on our fallibility as human beings – our greed, laziness, vanity – and sometimes even our better traits such as sympathy or wanting to be helpful.

The story of the Trojan horse, made famous by the Greek epic poet Homer in The Odyssey was one of the most ingenious social engineering tricks in the history of humankind. The Greeks fooled the Trojans by leaving a gift of a huge ornately decorated wooden horse outside the gates of Troy. The Trojans obligingly dragged it inside the walls, unaware there was a phalanx of crack Greek troops hidden inside. Under cover of darkness, the Greeks sneaked out, murdered everyone and burned Troy to the ground. First lesson right there –be wary of free stuff!

This trick is so famous that there is now a class of malware called ‘Trojans’, which are applications or files that hide something more sinister within. Once the user clicks to open them, they’re done for!

This idea of hiding something nasty is the basis of what has become known as phishing (and more recently vishing or even smishing) attacks. I’ll cover these and how to spot them in a separate post, but for now, let’s consider some other techniques the social engineer might use.

Pretexting is possibly one of the most common forms of social engineering right now. An attacker calls you pretending to need some personal information in order to confirm your identity. A common scenario involves a scammer pretending to be from the victim’s bank and requesting personal information in order to continue the call.

Scareware plays on our emotions, and more specifically, fear. This type of attack is often a ‘pop up’ that tricks users into purchasing fake antivirus protection and other potentially dangerous software. It’s doubly insidious, as it disables any legitimate antivirus software while at the same time reducing the user’s trust in it. The user often uninstalls the legitimate software, leaving them open to even worse attacks.

Psychological Manipulation. Successful attacks play on our human emotions: fear, greed, obedience and helpfulness. Attacks may differ in their approach, but by harnessing these emotions in the right way, they know they can obtain the information they need swiftly and without detection.

The Trust Factor. There are certain people you can trust in life, such as friends, family and certain work colleagues. Attackers know this and will use this trust factor to manipulate you by sending malicious links or downloads from an email address that you trust.

Most of all, most social engineering attacks share two things in common – confidence and plausibility. This page explores that in more detail with 2 mildly amusing real life stories. This interesting case study from India illustrates an example of some social engineering techniques that can be used to gather data about you without you even knowing. In this case, it was used for good (to catch another scammer), but it should give you pause for thought.

How do I avoid being socially engineered?

The answer is, it’s really hard. You have to be extra vigilant and set aside some of your more trusting nature. However, there are some things you can do.

Rule number 1 – and I can’t say this often enough – Never reveal your passwords or login credentials to anyone! A legitimate person will be able to access your data without having to ask for them. You might be asked some security questions. That’s OK if you initiated the call or e-mail exchange, but if someone calls you out of the blue asking for them, they’re probably up to no good!

Rule number 2 – consider the source. A found USB stick isn’t necessarily a good find. It could be loaded with malware, just waiting to infect a computer. And a text or email from your bank isn’t necessarily from your bank. Spoofing a trusted source is relatively easy.

Rule number 2 – stop and think. It’s OK to say you’re not sure and that you need time to think. Politely hang up and say you’ll call back. If it’s an email, don’t click anything until you followed rule number 3, which is:

Rule number 3 – do your research. Be suspicious of any unsolicited messages. If the email looks like it is from a company you use, do your own research. Use a search engine to go to the real company’s site, or a phone directory to find their phone number.

Rule number 4 – if it seems too good to be true, it probably is. Is a Nigerian prince really going to offer you large amounts of money? Probably not. But some people have fun stringing Nigerian princes along…

Rule number 5 – don’t overshare. We all love taking photos of our pets and family and sharing them on Facebook, but some of the stuff you share can be used against you. If someone knows the names of your pets, they can (if you’ve totally ignored everything you’ve read so far) use these to guess your password. Even if you’re not that daft, subtle details that you share on social media are the chink in your armour that they can use to get you. I’ll do a future post about safe social media use.

But for now, stay safe, be suspicious, be alert!