Social engineering is an old yet continuously growing field of hacking that exploits the human aspect of security. Social engineers can extract private or confidential information from unsuspecting targets by combining technical hacking skills with expert persuasion and manipulation.
This sinister approach creates an environment where individuals willingly expose personal data. Although social engineering is commonly employed to breach company defenses, high-profile individuals are also at risk.
The question is, how would you even know if you were being targeted? And more importantly, how can you protect yourself against these tactics?
Join us as we uncover the most common social engineering methods and empower you to safeguard your digital life against these sophisticated attacks. Don’t let the human element be your downfall. Take control and defend yourself against the unseen threats of the digital world.
Table of Contents
What Is Social Engineering?
Amidst a plethora of underground hacking techniques, the common ways social engineers prey on the ignorance of computer users at every level is through illusion and social manipulation.
Social engineering is an attack based on deceiving users or administrators at a target site. Attackers can successfully make fraudulent claims and transactions by presenting more than the required information to employees to sound credible.
This can happen at a personal level, but it mostly happens in places of employment. Employees are important to organizational security, so attackers target various employees.
Social engineering usually involves the following words or techniques:
- It’s an urgent matter.
- A forgotten password.
- A computer virus or malware emergency.
- Any form of intimidation from “higher level management.”
- Name dropping to give the appearance the request is coming from authorized personnel.
- Straight up requesting passwords, serial numbers, brands, models, etc.
- Claims of affiliation through a subcontractor.
- Claims of being a journalist or broadcaster.
- Inappropriate greetings or seduction from a stranger.
Now, let’s go into the more common types of social engineering so you can see these for what they are in the field.
8 Common Types of Social Engineering
There are several types of social engineering.
But we’ll cover the top 8 here, starting with phishing.
Phishing is the “practice of sending emails appearing to be from reputable sources with the goal of influencing or gaining personal information.”
Phishing is one of the most pervasive and prevalent social engineering attacks. Phishing comes in many forms, but you’ll most likely see it in email. Be sure to follow these best practices to avoid falling victim to phishing attacks:
- Check the Sender’s address. Make sure the message comes from where they say it’s coming from. Don’t interact with the message or reply if something looks wrong.
- Don’t click on unconfirmed links. When in doubt, do not click links! Your best bet is to go to the website directly or call the source directly (not from the information in the email).
- Don’t download attachments. One step further, you can’t rely on your email client, web service, or computer antivirus to catch everything. Do not download files or executables from unknown sources!
2. Social Media Fraud
Are you safe on social media? What type of information shows up about you when you search for yourself? How will you understand what other people see if you don’t check?
Don’t be surprised to find detailed information about you, such as:
- Location details
- Places you like or visit
- Your friends and family members
- Workplace or employment history
- Hobbies and interests
- and much more!
You may have more information out there than you originally intended. Furthermore, someone can try to become a friend or connection to collect information about you further.
Be sure to follow these best practices to avoid falling victim to social media fraud:
- Think before you post. Just because you can post about something, should you? Have you made sure your photo isn’t geotagged or showing someone or something that shouldn’t be readily identifiable? Fight the urge to overshare.
- Consider privacy settings. When did you last look at all of your social media privacy settings? They can change pretty fast. Review them to make sure the people you intend to see your information are the ones who can see it. Consider whether your overall profiles should be public.
- Clean up friends list. Were you picky about who you let in when trying to reach out and build your network? Consider going through your friends list and getting rid of some people you don’t know or no longer associate with.
- Prevent search engine indexing. Search engines tend to take longer to remove data, so you may wish to go through your social media settings and disable search engine indexing. Most major social networks will have this option.
- Know who you are talking to. Social media fraud called “Angler Phishing” is ever popular. This is where fraudsters impersonate customer service agents of real companies to trick people into divulging personal information.
Vishing is phishing but over the phone. This method of social engineering is surprisingly effective. There are 2 main scams that are the most effective with vishing:
1. Fake Tech Support Calls
A common form of social engineering is someone pretending to be an authorized user or administrator in an attempt to gain illicit access to protected data systems. This is usually done over the phone, but it can be done in person.
The person has enough information to sound credible, and they ask the user for information that allows the hacker to access the desired system.
This is a very common example; users should verify the identity of the person requesting information before any information is released. Real IT departments will not request your password or one time codes over the phone.
2. Fake Bank Calls
Another common tactic is to get a call from an attacker pretending to be your bank or credit card servicer. This call may be a fake warning for flagging unusual activity, which the bank needs to verify personal details to fix.
They can sometimes give legit info to give the illusion that they are legitimate. This requires you to know your bank’s contact information and procedures, but it should be an easy confirmation nonetheless.
Be sure to follow these best practices to avoid falling victim to vishing attacks:
- Verify the caller. If someone calls you requesting something, you should verify who they are, which department they work for, and why they are calling before even considering giving out personal information. You need to be confident that they are who they say they are.
- Have legitimate contact information. The best way to know you are dealing with a legitimate caller is to vet the name, number, and email with what you already know.
- Remain vigilant against manipulation. Regardless of how nice the person is over the phone or what kind of bind they say they are in, don’t overextend. Social engineers will try to exploit your kinder side to bypass the sniff test. This will make you feel at ease or more willing to overshare your information.
4. Dumpster Diving
Dumpster diving is old but a tactic still used today, where a criminal will go through your trash to find anything they can about you. You still get some confidential stuff through the mail, and sometimes you may be tempted to throw them away.
The better option is to make good use of your shredder. Make it difficult for those who wish to rifle through your garbage.
Be sure to follow these best practices to avoid falling victim to dumpster diving:
- Shred anything addressed to you. Anything that is not a regular solicitation should be sent through your shredder. This will not only shred the confidential stuff but also add to the bits of paper, making it harder to reconstruct your documents. Yes, cross-cut shredders securely shred papers, but advances in AI could help piece together information. Make it harder to do so.
- Opt for paperless statements. Where possible, consent to paperless statements to reduce the notice from your mailbox and the physical flow of information about you.
- Secure private documents. There are physical documents that you must keep. Keep your confidential information safe by securely storing them, making them inaccessible to those that may enter your home.
Have you ever misspelled something while typing? Of course you have, especially when going to a website. Criminals count on you to misspell company URLs and register the domain to these common misspellings.
When you get to these fake websites, you may think it’s real. Criminals use these fake sites to redirect unsuspecting users somewhere else or capture private information.
Be sure to follow these best practices to avoid falling victim to typosquatting:
- Pay attention to what you type in the address bar. When going to a website, ensure you type in the correct address. This attack is more common than you think.
- Bookmark frequently visited sites. If there are websites you frequent, go ahead and add them to your bookmarks. That’s what they are for. This will ensure you go to the correct site every time.
- Keep your browser up to date. Bad websites can exploit out of date browsers. Ensure your software, especially your browser, is current before browsing the Internet.
- Use a good antivirus and keep it up to date. Some typosquatting sites will push malware on you or show you a fake virus alert message. Your antivirus software should put a stop to it. Either day, don’t fall for it.
In this attack, the attacker will leave infected portable physical media around and wait for some unsuspecting user to pick it up, insert it into their device, and run it.
This is where the infection starts. This tactic is surprisingly effective.
Be sure to follow these best practices to avoid falling victim to baiting attacks:
- Don’t pick up random storage devices. Seeing what’s on a USB drive lying around may be tempting. Or you may have good intentions to get it back to its owner. But don’t. That’s what the bad guys want you to do.
- Use a good antivirus and keep it up to date. Similarly, as before, make sure you have another line of defense if, for some reason, you plug in an unknown storage device anyway. Just know that you are taking considerable risks doing so. Just know that your antivirus could be evaded or temporarily disabled.
7. Shoulder Surfing
Shoulder surfing is more of an insider form of social engineering. Usually, the person doing the shoulder surfing is an authorized user or employee, but this person stands over the shoulder of the target user to see the user’s password or other sensitive data by watching keystrokes or reading clear text on the computer screen.
Be sure to follow these best practices to avoid falling victim to shoulder surfing:
- Position computer screens and keyboards properly. Make sure computer screens and keyboards are not within the eyesight of common walking areas.
- Use a privacy screen where applicable. In cases of working with sensitive information, use privacy screens to make it harder for those standing adjacent to you to see your screen.
- Question people who are standing around. If someone looks suspicious, question them. Don’t be uncomfortable. If you see something, you should say something.
This attack is often directed at companies, where the attacker will pose as someone within your company or as a consultant or auditor to gain entry to physical space by following or tailgating behind an authorized person.
A little confidence can take the attacker a long way. Be sure to follow these best practices to avoid falling victim to tailgating:
- Be aware of who is around you. If someone is trying to gain access through tailgating, they won’t stand out. Therefore, you should watch for those you don’t recognize.
- Make sure your badge or keycard is on you. Ensure your identification or access card is always on your person. Don’t lose track of it.
- Don’t be afraid to question people. Similarly to the last attack, don’t be afraid to question someone you don’t know. A tailgater is trying to learn about your company or gain access. Ask them if they need help. More often than not, a social engineer will shy away from prying questions and may even give up on their attack.
Other Ways to Mitigate Damage From Social Engineering
Despite your best efforts, chances are high that you will fall for a social engineering attempt. Sometimes, the scams look different out in the wild. Some good ones run parallel to events, accounts, or services that actually pertain to you.
Therefore, you need to improve your security posture through defense in depth, meaning you need to be secure in multiple areas simultaneously for the best coverage. As you evaluate your security and risk tolerance, be sure to perform the following tasks:
- Lock down your email. If you forget your password, how do you reset it? Usually, by email! Your email is the gateway to all of your accounts. Protect your email as best as possible, especially if you use a single email for all your accounts.
- Use different usernames and passwords. If you can choose your username, use something unique, but create a different password for each account. Make sure these passwords are strong. Use a password manager to help you.
- Use MFA. Additional authentication makes it harder for thieves to get into your account if your username and password are compromised. It’s not foolproof, but it definitely helps.
- Get creative with security questions. Security questions are normally pretty standardized, so you must do the next best thing to keep strangers out of your accounts. Either lie or change the answer to something someone will never guess, even if they know the right answer.
- Safeguard your credit cards. Credit cards are the safest way to pay online. They are far superior to debit cards. Do not store your credit card information in too many databases, and be sure to shop at reputable sites. You can further mask your credit card numbers by using a virtual card service or enabling the disposable or virtual card numbers by your credit card issuer, such as Bank of America, Citibank, and Discover.
- Monitor your accounts and data. Check your accounts to keep tabs on your personal finances and check for any suspicious regularly. You can also enroll in services such as free personal information monitoring, credit monitoring, credit charges (Bill Guard), and identity theft monitoring. You can even use Google Alerts to act as an identity theft watchdog.
- Remove personal data from public databases. There are people finder databases that aggregate personal and public information and publish it on their sites. Oh, and this is somehow completely legal. Some collected personal information includes names, addresses, family members, employment information, date of birth, and phone numbers. Remove yourself from these lists by opting out of each database or using a service like Delete Me.
- Regularly back up and test files. Computers and storage devices fail. Not to mention data theft, corruption, accidental deletion, and malicious interference through ransomware. Maintain backups of your files and memories before it’s too late.
Social Engineering Conclusion
As you can see, social engineering relies on our gullibility and the limited information we use to verify people’s identities. Attackers can get into accounts through lax company procedures, requiring minimal effort to get information on you.
That’s why defending against the human element in cybersecurity is imperative. Technical controls, while necessary, are not enough. Embrace skepticism and remain vigilant.
Never give out confidential or seemingly non-confident information about you or your company. This is the case whether over the phone, online, or in person unless you can first verify the identity of the person asking and the need for that person to have that information.
You’ve seen the “art of human hacking,” but we also implore you to check out EnterpriseITPlanet’s AntiOnline forums since they have many more examples of social engineering attacks.
If anyone detects a social engineering attempt or the requester’s identity CANNOT be promptly verified, the person MUST immediately contact his/her supervisor or direct manager.
If the attempt is a personal social engineering attack or the organization’s security policy mandates it, the requester’s call, conversation, email, or online chat must be terminated immediately. Report the attack through proper channels and maintain awareness.
What are some ways you protect yourself against social engineering?
Security Tip (ST04-014) Avoiding Social Engineering and Phishing Attacks at US-CERT