“Social engineer” may sound like a cool job title you can put on your calling card. But know that it spells nothing but trouble.
Social engineering is the act of tricking someone into sharing private information, by exploiting specific qualities of human decision-making known as cognitive biases. While hackers attack and circumvent computer and online systems to steal information, social engineers manipulate people into granting legitimate access to confidential information.
Jonathan John B. Paz, BPI’s Data Protection Officer and Enterprise Information Security Officer, said social engineers can be deviously clever in exploiting people’s vulnerabilities both online and offline.
“The only way we can rebuff these attacks by social engineers is to educate ourselves and know how to spot them to avoid being a victim,” he said.
He enumerated five of the most common attacks we should know:
Phishing – Phishing is the most common social engineering scheme, where an attacker sends an e-mail, IM, comment, or text message that appears to come from a legitimate, popular company, bank, school, or any other institution. In a phishing attack, recipients are tricked into sharing confidential information, such as credit card or bank account numbers and PINs. People can be tricked into sharing information through messages saying there is a problem that requires them to “verify” information by clicking on the displayed link and providing information using their form. They may even ask for aid or support for a disaster, political campaign, or charity.
Spear phishing – Spear phishing is a highly targeted type of phishing attack that focuses on a specific individual or organization. Social engineers use personal information that is specific to the recipient in order gain trust and appear legitimate. This information can come from recipients’ social media accounts. Because these attacks are more specific, chances of success for attackers are much higher.
Baiting – Attackers who use this technique rely on the assumption that if they dangle something people want, the latter will likely take the bait. They take advantage as well of people’s natural curiosity by leaving a malware-infected device (like a USB or CD) in a public space, like a bathroom or a cafeteria, where someone will likely find it. A baiting attack hinges on the premise that the person who finds the device will load it into his computer and unknowingly install the malware.
Pretexting – Pretexting happens when social engineers make up a story with the goal of fooling recipients into providing access to confidential information. For example, they could pretend that they are part of a company’s IT department in order to acquire the recipient’s passwords or other confidential information.
Tailgating – Tailgating is a physical social engineering tactic wherein an unauthorized individual follows authorized individuals into a secure location. An example of tailgating is when someone asks a recipient to hold the door open because they forgot their access card or asks to borrow your phone or laptop to send an email or quickly google something, but instead installs malware or steals data from the device.
“A healthy dose of paranoia and mindfulness can help,” said Paz. “It’s safer to type a URL into your browsers than click on a link. Never open attachments from people or sources you don’t know and trust. Many of us know this but there are times we forget.”
When it comes to security of your personal information, it always helps to be wary and remember the five common attacks above.