Show
Examples & Prevention TipsSocial engineering is the art of manipulating people so they give up confidential information. The types of information these criminals are seeking can vary, but when individuals are targeted the criminals are usually trying to trick you into giving them your passwords or bank information, or access your computer to secretly install malicious software–that will give them access to your passwords and bank
information as well as giving them control over your computer. Criminals use social engineering tactics because it is usually easier to exploit your natural inclination to trust than it is to discover ways to hack your software. For example, it is much easier to fool someone into giving you their password than it is for you to try hacking their password (unless the password is really weak). Security is all about knowing who and what to trust. It is important to know when and when not to take a person at their word and when the person you are communicating with is who they say they are. The same is true of online interactions and website usage: when do you trust that the website you are using is legitimate or is safe to provide your information? Ask any
security professional and they will tell you that the weakest link in the security chain is the human who accepts a person or scenario at face value. It doesn’t matter how many locks and deadbolts are on your doors and windows, or if have guard dogs, alarm systems, floodlights, fences with barbed wire, and armed security personnel; if you trust the person at the gate who says he is the pizza delivery guy and you let him in without first checking to see if he is legitimate you are completely
exposed to whatever risk he represents. If a criminal manages to hack or socially engineer one person’s email password they have access to that person’s contact list–and because most people use one password everywhere, they probably have access to that person’s social networking contacts as well. Once the criminal has that email account under their control, they send emails to all the person’s
contacts or leave messages on all their friend’s social pages, and possibly on the pages of the person’s friend’s friends. Taking advantage of your trust and curiosity, these messages will:
Email from another trusted sourcePhishing attacks are a subset of social engineering strategy that imitate a trusted source and concoct a seemingly logical scenario for handing over login credentials or other sensitive personal data. According to Webroot data, financial institutions represent the vast majority of impersonated companies and, according to Verizon's annual Data Breach Investigations Report, social engineering attacks including phishing and pretexting (see below) are responsible for 93% of successful data breaches. Using a compelling story or pretext, these messages may:
Baiting scenariosThese social engineering schemes know that if you dangle something people want, many people will take the bait. These schemes are often found on Peer-to-Peer sites offering a download of something like a hot new movie, or music. But the schemes are also found on social networking sites, malicious websites you find through search results, and so on. Or, the scheme may show up as an amazingly great deal on classified sites, auction sites, etc.. To allay your suspicion, you can see the seller has a good rating (all planned and crafted ahead of time). People who take the bait may be infected with malicious software that can generate any number of new exploits against themselves and their contacts, may lose their money without receiving their purchased item, and, if they were foolish enough to pay with a check, may find their bank account empty. Response to a question you never hadCriminals may pretend to be responding to your ’request for help’ from a company while also offering more help. They pick companies that millions of people use such as a software company or bank. If you don’t use the product or service, you will ignore the email, phone call, or message, but if you do happen to use the service, there is a good chance you will respond because you probably do want help with a problem. For example, even though you know you didn’t originally ask a question you probably a problem with your computer’s operating system and you seize on this opportunity to get it fixed. For free! The moment you respond you have bought the crook’s story, given them your trust and opened yourself up for exploitation. The representative, who is actually a criminal, will need to ’authenticate you’, have you log into ’their system’ or, have you log into your computer and either give them remote access to your computer so they can ’fix’ it for you, or tell you the commands so you can fix it yourself with their help–where some of the commands they tell you to enter will open a way for the criminal to get back into your computer later. Creating distrustSome social engineering, is all about creating distrust, or starting conflicts; these are often carried out by people you know and who are angry with you, but it is also done by nasty people just trying to wreak havoc, people who want to first create distrust in your mind about others so they can then step in as a hero and gain your trust, or by extortionists who want to manipulate information and then threaten you with disclosure. This form of social engineering often begins by gaining access to an email account or another communication account on an IM client, social network, chat, forum, etc. They accomplish this either by hacking, social engineering, or simply guessing really weak passwords.
There are literally thousands of variations to social engineering attacks. The only limit to the number of ways they can socially engineer users through this kind of exploit is the criminal’s imagination. And you may experience multiple forms of exploits in a single attack. Then the criminal is likely to sell your information to others so they too can run their exploits against you, your friends, your friends’ friends, and so on as criminals leverage people’s misplaced trust. Don’t become a victimWhile phishing attacks are rampant, short-lived, and need only a few users to take the bait for a successful campaign, there are methods for protecting yourself. Most don't require much more than simply paying attention to the details in front of you. Keep the following in mind to avoid being phished yourself. Tips to Remember:
Ways to Protect Yourself:
Webroot's threat database has more than 600 million domains and 27 billion URLs categorized to protect users against web-based threats. The threat intelligence backing all of our products helps you use the web securely, and our mobile security solutions offer secure web browsing to prevent successful phishing attacks. Find the right cybersecurity solution for you. What are some ways you can protect yourself against a social engineering attack?Five Ways to Protect Yourself:. Delete any request for personal information or passwords. Nobody should be contacting you for your personal information via email unsolicitedly. ... . Reject requests for help or offers of help. ... . Set your spam filters to high. ... . Secure your devices. ... . Always be mindful of risks.. Can you protect yourself from social engineering?However, the best way to protect yourself from social engineering is to know who you can trust and be trustworthy yourself. You need to identify anyone who might gain access to your account or may influence it and ensure they have a good reason for doing so.
How can you help yourself to protect against most social engineering attacks taking place in the digital realm?Social engineering prevention. Don't open emails and attachments from suspicious sources – If you don't know the sender in question, you don't need to answer an email. ... . Use multifactor authentication – One of the most valuable pieces of information attackers seek are user credentials.. What is the most effective way of preventing social engineering attacks?Implementing multi-factor authentication such as two-factor authentication, which needs another factor other than username and password to enable access, can increase the chances of preventing social engineering tactics before their completion.
|