Criminals use social engineering tactics because it is usually easier to exploit your natural inclination to trust than it is to discover ways to hack your software. Ask any security professional and they will tell you that the weakest link in the security chain is the human who accepts a person or scenario at face value.
Although our systems may be prepared for the likes of malware and worms, social engineering is a different beast of its own. If used effectively, hackers can manipulate people into disclosing personal information, rendering security systems useless.
So how exactly do they go about doing this? Here are five of the most utilized social engineering tactics you should be aware of.
Phishing: – Phishing scams are perhaps the most common type of social engineering attack. Usually seen as links embedded in email messages, these scams lead potential victims into seemingly trustworthy web pages, where they are prompted to provide their personal information, including email addresses, and credit card numbers.
Phishing emails often appear to come from reputable sources, which makes the embedded link even more compelling to click on. Sometimes phishing emails masquerade as government agencies urging you to complete a personal survey, and other times phishing scams pose as false banking sites. In fact earlier this year, fraudulent Olympics-themed emails redirected potential victims to fake ticketing services, where they would eventually input their personal and financial information.
Tailgating: – What’s the best way to infiltrate your business? Through your office’s front door, of course! Scam artists can simply befriend an employee near the entrance of the building and ask them to hold the door, thereby gaining access into a restricted area. From here, they can steal valuable company secrets and wreak havoc on your IT infrastructure. Though larger enterprises with sophisticated surveillance systems are prepared for these attacks, small- to mid-sized companies are less so.
Quid pro quo: – Similar to phishing, quid pro quo attacks offer appealing services or goods in exchange for highly sensitive information. For example, an attacker may offer potential targets free tickets to attend hard-to-get tickets in exchange for their login credentials. Chances are if the offer sounds too good to be true, it probably is.
Pretexting: – Pretexting is another form of social engineering whereby an attacker fabricates a scenario to convince a potential victim into providing access to sensitive data and systems. These types of attacks involve scammers who request personal information from their targets in order to verify their identity.
The unfortunate reality is that fraudsters and their social engineering tactics are becoming more sophisticated. Your best defense to avoid these scams is knowing what they are and being critical of every email, pop-up ad, and embedded link that you encounter in the internet.
Bob Milliken is the TheITguy@CascadiaSystemsGroup.com specializing in helping businesses with their IT needs and keeping our finger on the power button. Connect with him at 604.270.1730.