You’ve likely been overwhelmed with years of warnings about the importance of strong cybersecurity practices. Once relegated to being solely the concern of IT departments, cybersecurity has become of increasing importance in the last decade due to the entangled nature of our digital and offline lives. As the boundaries blur, hackers have begun looking for opportunities both online and offline to steal valuable data. One method that they use, which has grown in popularity and sophistication, is something called social engineering. Read below as we talk in detail about what social engineering is, how hackers use it to target victims online and offline as well as what you can do to protect yourself.
What is social engineering?
Social engineering is, essentially, manipulating people in order to get sensitive information out of them. Hackers employ this method toward either their victims directly or the people who manage their data. The whole concept of social engineering revolves around the idea that humans, not lines of code, are the weakest link in security systems. Although technology is hackable, continuous updates, patches and security measures fortify systems on a frequent basis. However, unlike security measures, the people who have access to these systems don’t change drastically from year to year – there’s no software update to prevent people who have access to sensitive data from making mistakes that hackers can take advantage of.
Usually social engineering takes the form of scams that you might already be familiar with: phishing emails, fake phone calls and other forms of psychological manipulation. As computer processing power advances, cybercriminals are taking advantage of it to launch more and more sophisticated social engineering scams at people and companies around the world. Depending on their objective, hackers have a choice of targeting individual victims directly or, if they have enough information and access, attempting to fool employees working at companies to gain access to sensitive data for a large pool of potential victims – such as the hackers who tricked an employee at a tech company last year into handing over tax forms for a large percentage of its current and former employees.
How can I protect myself from social engineering?
Techniques of social engineering differ based on who the target is, the information the hacker wants as well as the medium the hacker decides to use for obtaining what they want. That said, there are some clues, when paid attention to, that can alert you to a scammer trying to trick you. Here’s what you should be on the lookout for and how you can protect yourself.
Beware of pretexting. At the heart of most social engineering scams is “pretexting,” which is cybersecurity lingo for lying to obtain privileged data. From phishing to fake tech support, hackers create false pretenses to gain your trust and access to sensitive data. The best advice for dealing with these types of approaches is something that is often said, but bears repeating – be skeptical regarding offers that require you to give up sensitive information, or unsolicited requests for personal information over an insecure medium (such as over the phone or in an email). Watch out what you say to those who contact you on social media and instant messaging sites/apps, even if they are people you think you know. The only time and place you should provide sensitive information is on a legitimate website with HTTPS encryption, or when you can be absolutely certain you are dealing with the right person. When in doubt, always take the time to double-check, whether it’s looking closely at an email you’ve received or placing a phone call to the person or business to ensure they truly reached out to you.
Don’t accept storage media from strangers. Studies have found that people are prone to picking up strange USB flash drives (also called USB drives, USB sticks or thumb drives) they’ve found lying around and plugging them in to see what they contain. This is great news for hackers, but bad news for the rest of us. The reason this is so dangerous is that USB drives, SD cards, CDs and any other insertable storage media can be infected with malware or even trigger hardware failure. Worse yet, notable companies such as Chrysler have sent critical updates to customers in the form of unsecure USB drives, which encourages the continuation of this practice. If you receive any type of storage media via mail or from a stranger (or if you find it on the ground) you should be highly suspicious. Even in the case that you receive a USB or other type of storage device from a legitimate company, such as in the Chrysler case, you should not simply take the claim that it’s safe at face value. If you absolutely need to access the data stored on the device, you can try viewing the files by inserting the storage device onto a computer not connected to your home network. Keep in mind though, even if a disk looks clean, it could still contain hidden malicious code. Unknown USB drives should either be turned in to a lost and found near where you picked them up, or simply disposed of or destroyed.
Properly dispose of old computers and devices. If hackers can’t trick you, they’ll want to trick the companies whose services you use. One way they accomplish this is by stealing tiny pieces of personal information in order to assume your identity. Such information can often be found on discarded paper, like mail, or on old devices that have been tossed out. While it’s common knowledge that you should shred papers, people rarely talk about doing the same for old computers and devices, hard drives and other storage media. If you have an old computer, smartphone or data storage device you don’t want anymore, you should either physically destroy the device or use software especially designed to completely erase the device. Simply deleting files from the trash or recycle bin on your computer doesn’t fully prevent old data from being readable, and tossing old devices into your trash can is not only environmentally irresponsible, but opens you up to potentially handing over your sensitive data to strangers who pick through trash cans and landfills. You can learn how to safely dispose of your old electronics at the EPA’s website or contact your local computer repair shop.
Beware of devices and networks that aren’t yours. The dangers of public Wi-Fi networks are well established. However it isn’t just public Wi-Fi you should be wary of – using any device or network that isn’t yours can be risky. The reason being that you have no idea what the security configurations are for devices and networks that aren’t yours. The owner, for example, could have things set up so that that they can see activity on the device or network you use. This risk may, perhaps, be overstated when connecting to the Wi-Fi at a friend’s house, or when borrowing a friend’s computer, but their network or device(s) could unknowingly be hijacked in a similar manner so caution is necessary. Likewise, be wary of those who might ask to borrow or use your devices and networks. Even something as innocuous as letting a stranger borrow your phone to make a call could potentially be disastrous, as letting someone to have access to your devices can allow them to gain information that can be used to impersonate you or steal your information.
Make your security questions really difficult to answer.. Short of contacting a customer service representative, for many online accounts, security questions are one of the only ways to force a password or account reset. If the questions you choose or the responses you give are easily guessable (or can be found on Google), then your account could be compromised. You should take care to safeguard the information that typically gets asked by these types of questions – even seemingly inconsequential details such as the name of your first pet – or make a point to flat-out lie when answering these questions online. Hackers bent on accessing this information could easily use social engineering techniques to either take a guess at your answers based on common knowledge, or draw the information out of you by striking up a conversation.
Take advantage of two-factor authentication and other security notifications. In the end, even if you do everything to make sure your data is safe, sometimes hackers are just one step ahead and the services you use may have undisclosed security vulnerabilities. Even security-conscious individuals like Naoki Hiroshima, who lost his prized Twitter handle, and software developer Eric Springer, whose Amazon account was compromised, have become victims of social engineering after hackers impersonated them in a customer support request. Not only can social engineering be used against a victim to trick information out of them, but it can be used to help hackers convince others that they are the victim in order to get what they want. Activating two-factor authentication (2FA) and other security notifications available for all of your accounts is a way to help ensure that you will be instantly alerted whenever someone tries to reset your passwords or gain access to your accounts in some underhanded way. While this alone won’t prevent a hacker who is really determined, it might be enough to give you a fighting chance at stopping them.
Social engineering, like most hacking techniques, can be complex and varied. It’s not easy to stay on top of what’s happening in the world of cybersecurity, but you can keep reading our technology blog to stay ahead of the curve.