Most people think cyber-attackers use elaborate techniques and cutting edge technology to “hack” (or trick) people into divulging their sensitive data or downloading the attack’s malicious software (malware) onto their devices. Truth be told, most cyber-attackers have learned that the easiest ways to steal your information, hack your accounts, or infect your systems is by simply tricking you into doing it for them using a technique called social engineering.
What is Social Engineering?
Social engineering is the psychological manipulation of a victim to get them to do something they shouldn’t. Think of scammers as con artists; it is the same idea; however, today’s technology makes it much easier for any attacker, that could be anywhere in the world, pretend to be anything or anyone they want.
Different Social Engineering Methods
Today’s cybercriminal has a number of tools at their disposal, and they may vary their attacks based on what they think will work best. The three different methods are Phishing, Pre-text Phone Calling, and Physical Breach Attempts.
Phishing is when a cybercriminal uses an email to trick someone into opening an infected email attachment, clicking on a malicious link, or giving up sensitive information. Spear Phishing emails can be highly customized and targeted attacks. This is when the attacker has done research on you (or the organization you work for) and has included information within the email to add to their credibility. Lastly, attackers may impersonate a high level employee within your company, called Masquerading or CEO Fraud.
Learning to Spot Phishing Emails does not have to be difficult, there a number of warning signs you should look for:
- Grammatical Errors and/or Misspelling in emails;
- Questionable “From” email address, you do not recognize the sender;
- Questionable links embedded in the email;
- Content plays on base emotions;
- Content plays on natural curiosity;
- Questionable Subject lines in email;
- Body of email is not directly addressed to you, i.e. “Dear Customer”;
- Threat to discontinue or interrupt services;
- Promises of awards or prizes.
Pretext Phone Calling or Vishing is when a cybercriminal contacts you via telephone while impersonating someone else, like a government agency, an online retailer, or even a family member.
You receive a phone call from someone claiming to be from the IRS informing you that your taxes are overdue and if you do not pay right away, you will be fined or arrested. Callers use a sense of urgency, threats, or promises of awards/prizes to either get money or personal information from you.
Both Phishing and Pretext Phone Calling attacks are not limited to phone calls or email; they can happen in any form including text message, social media, or even in person. A good rule of thumb is to never divulge account numbers or personal information unless you are the person that initiated the phone call.
Physical Breach Attacks are when the cybercriminal physically attempts to gain access to sensitive documents, your computer, or computer networking. An example is if a technical or utility worker arrived unannounced and tells you that they are there to investigate or fix a problem with a utility or service you may subscribe to. Dumpster Diving is when a criminal goes through trash looking for discarded documents that may contain sensitive information. It is important to shred documents like credit card statements, bank statements, or anything else that contains sensitive information.
In closing, take it upon yourself to get educated on Social Engineering and stay informed on what the most recent events/themes criminals are using to trick people. If you suspect someone is trying to trick or fool you, do not communicate with the person and block them from calling or emailing you. Remember, common sense is your best defense.
Paul Forni is a Vice President, Information Security and Red Flag Officer, with The Cooperative Bank of Cape Cod. Learn more at mycapecodbank.com and 508.568.3400.
Member FDIC. Member DIF.