“Congratulations! You have just won $1000. Click here to claim your prize!” is a line you have probably seen in your spam folder or in your text messages. When you click these links it will take you no where or even just refresh the page, but what really happens when you click? When you click these links, potential malicious software will be installed on your computer without your consent or knowledge. The malicious software could range from a keylogger to even a rootkit.
This specific example is a form of social engineering that attempts to exploit individuals that need money by giving them a sense of hope and trust that the $1000 will be going to them. It’s important that we identify these kinds of attacks before it’s too late. By following the tips below, you can give yourself a better understanding of how to protect against Social Engineering attacks and what they may look like in the wild.
There are many ways an attacker can attempt to social engineer you. First, they need to choose a communication medium on which they want to try and exploit you. This can be through email, text message, or even voice. The attacker will attempt to be charismatic in order to win your trust which will make you more likely to give your personal information. This can be in the form of compliments, promises, or even favors. They will always try to convey confidence and control. On the opposite end, they will try to manipulate human feelings such as fear or curiosity to get people to fall for their schemes. This can be in the form of blackmail or targeted threats.
The best way to deal with these types of people is to ask as many questions as you can. First, you want the person to identify themselves. Ask questions such as “What is your name?”, “Who do you work for?” “Where is your company physically located”, or one of my personal favorites “Can you give me a number I can call you back at”. With this information you can paint a picture to see if the person/company is the real deal or not.
Next, ask the person if they are authorized to make this request to you. If a social engineer is asking for personal information, ask to speak to their direct supervisor or their manager. If they claim they can’t come to the phone or answer you, refuse to give the information until they can provide that proof.
The bottom line is to always make sure to ask questions to keep social engineers on their toes. Don’t let them try and trick you into giving away your own personal information or proprietary business information.
91% of all cyber-attacks begin with a phishing email. Phishing is the fraudulent attempt to obtain sensitive information and data through the means of social engineering. These types of attacks can range from winning prizes to trying to scare you into thinking someone logged into your account. One type of tactic that has surfaced due to COVID-19 is phishing emails that say “Click here to claim your stimulus check!” It’s important that we educate ourselves on how to identify these types of scams and to learn what they look like.
One of the best ways to identify if the “Click Here” is legitimate or not is to hover over the link in question. Let’s say for example that Google says someone is trying to log into your account and you need to click a link to reset your password. If you hover your mouse over the link, in the bottom left corner of the screen you will see what the link will truly take you to.
Other things to watch out for are grammatical errors and low-resolution business logos. If the communication doesn’t sound right or seem professional, always be cautious before clicking. Attackers will also attempt to cut and paste logos from companies and since they don’t have the original, the logo will often look pixelated. If you see any of these errors, you could be a target for a phishing attack.
Most of the time with Social Engineering attacks there won’t be a lot of technical components to it. These attacks target the weakest link in security, human beings. You can have the best firewalls and anti-viruses in the world, however, if you willingly give away credentials to an account that controls these devices, it’s game over. It’s important to educate yourself and others on what these kinds of attacks can look like so you can prevent these attacks from targeting you or your business.
If you’re a business owner and want to take things to the next level, implementing interactive, educational social engineering games is highly recommended. These kinds of games would offer the individual an interactive setting in which they can see real life examples of social engineering attacks and learn how to identify inconsistencies so they aren’t a cause of a potential breach.
Always think before you do or click anything. Use your logic and reasoning to determine whether or not you are being socially engineered. These types of attacker’s prey on human emotion to get to their goal and come in many different forms. The chances are if you are being engaged by one of these people, they have already built a profile on you or your business and know what questions to ask. Counter with more questions and remember to always make sure the other party has authorization to ask for personal information.