By now, it probably seems like you know all about how to protect yourself online. You’ve downloaded the antiviruses, implemented the firewalls, your password is uncrackable, and you reckon you could spot a phisher a mile off. But do you know how to protect yourself from social engineering?
Social engineering is different from other kinds of hacking attempts because it tends to be more personal and, as a result, harder to spot if you’re not prepared for it. Because social engineering cases are on the rise — with threats increasing by 270% in 2021 — it’s crucial that everyone knows how to prevent themselves from becoming a victim.
Read on to learn more about social engineering and how to protect yourself.
What is social engineering?
Social engineering encapsulates a broad range of malicious activities that typically involve human manipulation in an online setting (though sometimes in real life, too). The malicious actors want something from the victim, such as access to their online accounts or the accounts of the company they work for, often for data theft, financial gain, entry to critical resources, or to cause general disruption.
Before an attack, the perpetrator generally investigates the background and online profile of the victim so that they can use this information to pretend to be a person or entity that they know. Once they have enough information, they’ll approach the victim somehow, for example, via email or a messaging app where they pretend to be a friend or another trusted source. They might send them a link, an attachment, request information or perhaps ask them to donate to their charity event. Sometimes the message has a note of urgency to encourage the victim to act without thinking, with perpetrators posing as a friend in trouble who needs money immediately or informing them that they’ve won a cash prize but only have a limited time to claim it. The victim, none-the-wiser, will often comply with their “friend’s” request without even thinking twice.
This is a very general overview of how a social engineering attack can play out. In the next section, we’ll discuss the common types of social engineering attacks so that you know what to look out for.
Common examples of social engineering
There are myriad forms of social engineering attacks, but here are the 4 most common.
One of the most common forms of social engineering, you’ve likely encountered a phishing scam or two in your inbox over the years. Phishing scams usually target large groups of users, most often pretending to be a known company. These emails will lure victims to a fake but convincing landing page under false pretenses and encourage them to log in or enter personal details, which the perpetrators will use for nefarious purposes.
Spear phishing is similar to phishing, but targets specific users and convinces them to hand over information with more personalized emails. These kinds of emails often target more high-profile victims such as company executives or CEOs, but not always. Common examples include emails impersonating IT professionals at a company and requesting that employees change their passwords with a malicious link, or impersonating vendors companies work with and sending fakes invoices with large payments attached.
This is a type of spear phishing attack that requires the most effort, with the scammer researching the victim before contacting them and impersonating a trusted source, such as a representative from a vendor or company they work with, or even a fellow employee. A famous example of pretexting occurred in 2020 when hackers managed to take over high-profile Twitter accounts, like those of Bill Gates and Barack Obama. The perpetrators did this by targeting Twitter employees who had access to Twitter’s internal support tools over the phone.
This type of social engineering convinces the victim that their computer has been infected. It might come in the form of a pop-up or email that asks the user to call a number for a bogus customer care hotline that will likely scam them out of money or download some kind of malware. Often the pop-up or email convincingly impersonates the look of an antivirus or service the victim uses, so they think it’s real.
How to protect yourself
- Be critical of every message you receive
Some of this is common sense stuff you already know, and things we mentioned previously in our phishing blog. Don’t open links or email attachments from unknown sources or those claiming to be from companies you know. Double-check on the official site to make sure it’s legit.
If you receive a message from a colleague on another application outside your usual work communications, treat it with suspicion, especially if they’re asking for sensitive information or passwords or send you any links or attachments. Tell them to contact you via official channels and alert your IT department if they refuse. Better to proceed with caution than put your job on the line.
If you get a call from someone claiming to be from your bank or Internet provider asking you to give them sensitive information or to make changes to your computer, hang up immediately and contact them through official channels.
- Watch your digital footprint
Unless you’re a social media influencer, you probably don’t need to share all that much information about yourself online. All kinds of information from your interests to your relationships can potentially be used to manipulate you, so be cautious about what is public. Even if you are in the public eye, be very careful about divulging information about where you work and your location. On sites like Facebook and LinkedIn, be sure to hide your contacts and friends so that potential malicious actors don’t have access to them. Google your name to find out what information can be found publicly and see what you can hide.
- Make sure your online accounts are secure
This means using strong passwords and never reusing them. By having a unique password for each site you’re ensuring that if one account is compromised, the malicious actor won’t have access to the rest. The easiest way to lock all your accounts with strong, unique passwords is by using a password manager.
A good way of ensuring your accounts aren’t compromised even if your password is stolen is implementing 2FA (two-factor authentication) when possible. If the hacker needs access to another device to get into your account, then just having your password won’t be enough.
- Familiarize yourself with social engineering trends
Hackers are constantly coming up with new techniques to scam people, particularly as more and more everyday services move online. Keeping up-to-date with how these scams play out is a surefire way to ensure that you know the signs and don’t become a victim.
It’s an unfortunate reality that as our world becomes more digital, malicious actors come up with more new and clever ways to trick people into handing over sensitive data and cash. Although social engineering can take many forms, getting scammed doesn’t have to be an inevitability. Keeping yourself educated, minimizing your digital footprint, and securing your online accounts can go a long way to staying safe online.
Cora is a digital copywriter for SSLs.com. Having eight years of experience in online content creation, she is a versatile writer with an interest in a wide variety of topics, ranging from technology to marketing.