Social engineering
What is social engineering?
Social engineering describes a variety of tactics used by malicious actors to trick an individual into doing something they wouldn’t normally do, especially (but not exclusively) online. Phishing is one common type of online social engineering; others include scareware, pretexting, and pharming. The success of a social engineering attack often relies on manipulating an individual person, rather than attacking a whole system, or a company’s software or hardware.
How does social engineering work?
Some tactics play on an individual’s emotions by creating fear, excitement, panic, or urgency. The assumption being that a person caught in such a state will let their guard down and be easier to fool.
Other tactics rely on familiarity or inattentiveness. The attack appears to come from a familiar source, so the individual inadvertently shares sensitive data such as passwords or banking information, or gets lured into clicking links that access spoofed websites or malware.
Examples of social engineering
Phishing
In a phishing attack, a person is tricked into sharing personal passwords, often via a fake website that mimics a legitimate one. For example, a person might receive an email that appears to be from a retailer where they often shop, with a message like “You’ve won a gift card! Click here to claim your prize!” The website they’re directed to may be a convincing fake; when the person attempts to log in, the phisher will collect the username and password, and use it to access their account on the legitimate site.
Scareware
Scareware will commonly deploy pop-up messages with urgent language like “Your computer is infected.” The message will also have a button prompting a download or software update or some other protection. But instead, the person downloads malware.
Pretexting
Pretexting generally uses SMS (text messaging) to trick a person into providing personal data to scammers. For example, a text message might claim to be from a local bank manager, with language like “There is a problem with your checking account” and a link that (supposedly) points to their bank’s website for follow-up. The provided link might then lead to a fake website that asks the person to prove their identity by providing personal data or login information.
Pharming
Pharming attacks often leverage social media, with messages of mock urgency like “Your account has been hacked. Change your password immediately.” The accompanying Update Account button would install malware that redirects to a copycat website the next time the person tries to access their social media account. When they “log in” to the copycat site, they end up giving the attacker their password, which can then be used to access legitimate accounts. Also note that, if the individual follows the dangerous practice of reusing the same (or very similar) usernames/passwords across different sites or apps, the attackers would then gain access to those other sites and apps as well.
Social engineering in the workplace
Social engineering is also a way for bad actors to try and gain entry to corporations or their systems by targeting employees. In a workplace setting, attackers can use one (or more) social engineering techniques to get an individual or group of employees to make a mistake, thus exposing their company and coworkers to data breaches, malware, or other attacks. Companies adopt cybersecurity practices to defend against these (and other) types of attacks. Employees play a vital part in this defense when they follow their employer’s security protocols.
What should I do if I’m attacked?
The most important thing you can do is be vigilant. Carefully evaluate any message that’s urgent, alarming, or seems too good to be true.
- If it’s a suspicious email, take a close look at the email address of the sender. Don’t respond to—or click any links in—the email unless you’re sure it came from a trusted source.
- Don’t visit URLs that look unusual (for example, “alert-officialsite.com” vs. “officialsite.com”). To be extra cautious, never click links in a text, email, or pop-up, and instead directly type the site URL into your browser address bar, or use the company’s official app.
- If you find yourself at a website and it looks suspicious, trust your instincts. Don’t interact with a website if it looks somehow different than usual.
- If you suspect one of your accounts has been compromised, change your password on that site/app immediately, and on any other sites/apps where you use the same (or even a similar) password. And remember that you should always use highly distinct passwords for every site and app, which can limit damage if any one account gets compromised. A reputable password manager can help.
How can I prevent being targeted by social engineering in the first place?
There are several steps you can take to minimize the chance that you become a target of social engineering in the first place.
- Always double check the site you’re visiting and/or entering personal information into (e.g. “google.com” vs. “gooooooogle.com”).
- Avoid downloading, signing up for, or sharing personal information on any app or service, unless it’s for something you’ve sought out.
- Approach with extreme caution any website, email, or text message that unexpectedly offers you an award, or says you need to download or update software.
- Enable Safe Browsing in your Web browser. All major browsers, including Brave, support this feature, which can warn you if you’re about to visit a known phishing site.
- Always keep the software you use updated so it has the latest security fixes. This is especially important for your operating system (OS) and browser, which will often let you know when they need to be updated.
- Use a password manager to securely store all your passwords, and to generate random, unique passwords for every account and website you access.
- Enable two-factor authentication (2FA), or multi-factor authentication, on every account that supports it. This won’t prevent attacks, but it will limit the damage if you are targeted: Even if an attacker gets your password, they won’t have your second factor (generally a unique, one-time numeric code that’s also required before you can gain access to your account on a site or app).
- Only install and update apps via the official app store, or from reputable companies.
- Avoid installing browser extensions. If you must install them, only do so via the “official” store for those extensions, such as the Chrome Web Store. (Note that browsers like Brave have a built-in ad blocker, Brave Shields, which means you won’t need to install an ad-blocking extension.)
- Only enter personal information on websites that use HTTPS (look for “https://” in your browser’s address bar), and avoid doing so in non-HTTPS sites. In Brave, connections are automatically upgraded to HTTPS. If you’re connected to a public or untrusted Wi-Fi network or ISP, try to use a VPN.