Editor’s Note: This article was published in 2017 and has been updated for accuracy and comprehensiveness as of November 2020.
Social engineering is the act of manipulating people through fraudulent acts, like posing as someone else or misrepresenting intent. Social engineering is one of the most effective types of cyberattacks. No matter how many security tools and resources you use to defend against a cyberattack, social engineering can circumvent most of these efforts. In these types of attacks, hackers leverage and manipulate human behavior, and there isn’t much security tools can do to prevent this.
What are some examples of social engineering?
One of the more known examples of social engineering involves the IRS calling a victim to settle a tax debt. The debt is due immediately, but the hacker is willing to work with the victim to prevent further “damage.” They even tell them “just go to Target and buy several gift cards.” This has worked so often that there is a warning video on the IRS.gov site that states the IRS will never ask you to pay for a tax debt with a gift card of any kind. Cybercriminals do not hack these victims, they simply convince these people to give them money over the phone.
Phone calls from “Microsoft”
Hackers also impersonate Microsoft employees, calling to let victims know their computer has been infected. This “Microsoft representative” asks the victim to go to a certain website to clean out the infection. The catch: this website contains malware, and the scammer walks the victim through installing the malware, completing the cyberattack. Once this malware is installed, the hackers have full control of your system and attempt to elevate privileges/access throughout the rest of the network. Because of these attacks, Microsoft employees don’t call end-users directly.
You may think you wouldn’t fall for these schemes but consider this situation: you’re in the finance department for your company. A vendor who you’ve worked with many times sends you an email notifying you that they have changed banks and to send future payments to these new accounts. This is a trusted source that you are familiar with. A quick phone call could have verified the email. But in this case, that didn’t happen…and thousands of dollars were sent before it was discovered.
Protect yourself against social engineering cyberattacks:
- First and foremost – Pause.
- Attackers are trying to catch you off guard by creating a sense of urgency. Don’t fall for it.
- Be cautious about communications that invoke an emotional response.
- Do not click on a link or open a document in an unexpected email or text.
- Next – Think.
- Take a minute to review the email, text, etc.
- Research the next steps without clinking on a link or opening a document.
- Lastly – Act.
- Never give out personal data when called by someone you don’t recognize. If you must give sensitive information, hang up and call the main number to the company the information requester says they work for. Do not call a number provided by a suspect you’re not sure about to provide sensitive info.
- When in doubt, pick up the phone and verify. Call the vendor, customer, college, etc.
Cyberattacks: Defeated by slowing down
Just taking an extra minute can save your company thousands of dollars. As you can see, exercising the “Pause. Think. Act.” methodology can negate many online threats. Encouraging your employees to take the time to stop and think can create a strong cybersecurity culture at your business. As our work and personal lives get busier, it’s becoming easier for hackers to exploit us with a cyberattack strategy designed to slip into our auto-pilot routine. So keep in mind that we are always under the threat of a cyberattack, and need to always keep an eye out for questionable activity.
Remember, all social engineering attacks rely solely on our not paying attention to social engineering signals, and buying into the emotional and psychological aspects of fraud. Don’t be a victim of these types of attacks. Be skeptical of everything on the internet, your email inbox, and even phone calls. It’s a dangerous world out there, but by implementing a few techniques, you can make you and your company safer. SUCCESS Computer Consulting has comprehensive training for employees on cybersecurity and a team that can help your business prevent cyberattacks.
** Side note: If you are responsible for insurance within your company, a misconception in these cases is that the business has insurance for issues like this. Social engineering is generally classified as fraud. Check with your insurance provider to make sure you are covered in the event your network is compromised.