SOCIAL ENGINEERING | 10 MIN READ
It’s a phrase you may have heard featured in the news or read online. You may have thought it was a modern term for government brainwashing (and that is a form of it), but the truth is that there is a version of social engineering that is much more modern and prevalent than that.
In this article, we will answer the question of ‘What is Social Engineering’ from the standpoint of how it affects all of our digitally connected lives and guide you toward solutions that avoid it in your personal and work life.
We are in the business of helping people, and we get asked this question often, so we decided to create a comprehensive article to assist our customers and those who are actively educating themselves on this evolving threat.
The online dictionary refers to social engineering as:
"The use of deception to manipulate individuals into divulging confidential or personal information that may be used for fraudulent purposes."
Well… that’s it! You don’t need to read any further in the article if all you needed was a textbook definition of what social engineering is. But, if you're interested in the various forms this tactic embodies, keep reading.
Not a lot of time? Skip to: How to Prevent Social Engineering
What is Social Engineering?
The definition above gives us an idea of what social engineering attempts to accomplish, but you might be wondering who would use this practice in the first place? If you answered, “hackers,” then you’re correct. For most hackers, their goal is simple: to obtain sensitive information that doesn't belong to them.
In many cases, if they are successful, the result is a ransom demand for the return of your company’s information. This leaves business leaders in the very precarious situation of being forced to decide between retrieving valuable information that was left unguarded and pay a hefty price, or lose that data.
READ: How Does Ransomware Work?
Types of Social Engineering
Phishing: The most common form of social engineering is phishing. Here, hackers create emails disguised as a trusted source (usually a financial institution). Within the email are malicious links disguised to look like reputable ones.
When a victim clicks one of these links, malware is downloaded onto their computer, typically to wreak havoc on the computer’s hard drive or to encrypt valuable files so that they can't be accessed without the hacker’s authority.
These emails can look extremely convincing, but the general rule is if you aren’t expecting an email or if it is out of character for the company that is contacting you to send you such an email, do not click any of its links (no matter how tempting pushing that “red button” might be)!
The Friendly Email: It seems each week we have a friend who sends out a mass message on social media stating that their account has been hacked and to not open any links from them until they have regained access to their account. This hacking effort is a common practice with email accounts, as well.
Hackers gain access to a victim’s email account by uncovering their password. From there, the hacker sends an email to the victim’s friends, encouraging them to click a link or open a file from them. This technique can be particularly effective because people trust their friends and often don’t think twice before trusting an email sent from their friend’s address.
The result is similar to phishing, ultimately resulting in more computers being compromised. Always be cautious of clicking a link directly from an email (especially if the friend doesn’t usually send you emails). If I am unsure, I often copy and paste the questionable link into a search engine (like Google) and see what website is found.
Responding to An Email You Never Sent: Have you ever received a reply email for a subject line you don’t remember sending in the first place? It’s possible you simply forgot what you originally wrote (and that they took a very long time to respond), but it’s also possible that you are being targeted by a hacker.
This popular technique looks innocent because it makes the victim ask the question: “It can’t be bad if I am the one who sent the original email, right?” A good rule-of-thumb here is that if you can’t remember sending the email, proceed with caution.
As long as your email client doesn't allow scripting, it isn’t bad to just open a potentially dangerous email (they can’t attack you from reading it), BUT it is bad to click on anything (including pictures within the email). So, if you read the email and you can’t remember anything about what the person is talking about, then do not click on anything.
Baiting: Imagine the scenario where you walk-up to your office copier and discover a flash drive sitting on it. Flash drives contain important information on them that someone from your company would probably like back. Being the good person that you are, you plug the flash drive into your computer so that you can look at the contents and gather clues as to who the owner could be.
What you don’t realize is that the USB drive was infected with malware and a hacker has now gained access to your network. Baiting is when a hacker places an item in a location where it is sure to be discovered and leverages human curiosity to gain access to a company’s network or victim’s computer.
Vishing: Also known as voice phishing, where a hacker employs impersonating techniques via a phone call to gain access to personal information. This can be very convincing to the person being targeted because the person attempting to steal information will often know just enough information about the victim to sound convincing.
Rogue: This form of social engineering could easily be coined “impostor.” This is when a hacker creates a program that makes you think you have been infected by malware. The victim is then tricked into paying for the “removal” of the malicious software, though it was never actually on the computer.
Another version is after you think your computer has been infected an antivirus solution conveniently pops-up for you to solve the problem. When you click to download the "solution," you actually download malware. Clever, right?
This can often manifest in the form a webpage that looks like your antivirus software detected a threat. The webpages will often have graphics that even make it look like a virus is actively being uploaded to the computer.
How to Prevent Social Engineering
There are programs out there that will train you and your company on phishing techniques and other social engineering techniques. Running quarterly tests within your company is a great hands-on way to prevent a real attack from happening. Remember, the best antivirus program in the world can’t prevent attacks from within.
If your business isn’t in the position to do this now, follow the advice below and share this article with your coworkers to better educate them on the threats of social engineering and how to avoid them.
In-House Social Engineering Prevention Tips:
- Pause. Before opening an email (and especially before clicking a link), think about the source and what they are asking of you. If it is a request for your social security number, chances are it's an attempt to maliciously gain personal information.
- When in doubt, copy the link. Remember, you can do a fair amount of safe research on any link by copy and pasting it into a search engine (not your browser, though). Just make sure not to accidentally click the link while you are copying and pasting!
- Stay away from downloads. If an email is asking you to download something and it isn’t an email you were expecting to receive, DO NOT download those files! Doing so will more than likely allow malicious software to infiltrate your computer.
- Be vigilant about requests for help. I had a friend send a message out to everyone on her social media account asking for money. This seemed strange, so I contacted her directly, and sure enough, she had been hacked. It’s always worth taking the time to send a separate email or phone call directly to the person in question when you aren’t sure. If they did get hacked, your friend will appreciate knowing that, too.
- Beware of the Nigerian Prince. You may have heard or experienced this popular phishing campaign before. Essentially, someone from another country contacts you via email with the offer of millions as repayment for your generosity of $1,000. To this day, I have never met a person who was actually paid by that Nigerian prince (who is apparently always needing $1,000).
Antivirus software, firewalls (virtual or physical) and email filters are all useful tools to protect your information, but treat them like a second line of defense. These are the back-ups for the moment that someone slips up and clicks one of those links. Just be sure that your antivirus and spyware software has automatic updates turned on, or that you have a reminder set through another device to update manually.
At SOS, we speak with businesses daily that are attacked by malicious software. More often than not, an employee clicked a link they shouldn't have and unintentionally unleashed a payload of malware into their network.
Managed IT services can assist in preventing these very preventable threats, but many owners feel they are too small to be a lucrative target for hackers. Unfortunately for them, hackers are aware of this mentality and often spend their time targeting small businesses over large ones because they are much easier to hack.
The payout may be smaller, but the time invested is worth their efforts. The more unfortunate fact is that over half of the small businesses that experience a data breach never recover.
The information in this article is just the surface of the ever-growing hacking threats that plague companies and individuals, alike. The articles listed below will give you additional insight into the details of the threats that are out there, as well as how to prevent becoming a victim.
Want to Learn More?
Posted by Daniel Gray
Daniel has a passion for educating and helping people and has spent over a decade in the education and office technology industries. He has a Bachelor's in Education from the University of West Georgia and an MBA from the University of Georgia. Daniel has been the lead blogger at SOS since 2017 and specializes in managed IT services, copiers and printers, and business phone systems. He lives in Atlanta and has a goofy greyhound named Ticker.