When you see hackers on TV, they’re always digital experts. They aggressively tap keyboards in darkened rooms, taking down firewalls and infiltrating networks by cracking computer code and breaking security protocols. As you might guess, this has little to do with what successful real-world hackers do. Many modern hackers don’t even primarily attack computers. Instead, they attack people, overcoming security hurdles through social engineering attack techniques.
Social engineering is a nefarious technique used by scammers to gain your trust. By imitating trustworthy sources and exploiting human psychology, hackers manipulate you into freely divulging confidential information. By learning some common social engineering attacks and how to prevent them, you can keep yourself from becoming a victim.
Phishing attacks are by far the most common form of social engineering attack. Most commonly, an attacker imitates an email from a party that you trust. For example, they might create an email that imitates a message from your bank. That email might look exactly like your bank’s emails, and it might seem to come from an email address owned by your bank. But if you take the action the email demands to unlock your account, you’ll be walking right into the attacker’s clutches. You’ll also see phony emails purporting to come from a personal contact requesting you visit a Google Drive link.
To combat phishing attacks, double-check any suspicious emails through a separate communications channel. If you get an email from your bank requesting you contact them, do not use the information contained in the email. Instead, find your bank’s phone number on their official website and call them to confirm the veracity of the communication. If you receive an unusual email from a friend or colleague, send them a separate email or call them to make sure the email is legitimate.
Watering Hole Attacks
Watering hole attacks are more subtle than phishing attacks. They rely on embedding malware within an otherwise trustworthy website that the target already visits. This starts with a technical exploit in the website’s code, but it’s only successful when the victim clicks on a poisoned link. It’s a tough attack to protect yourself against, but it relies on the user’s tendency to trust otherwise suspicious information if it appears on a trusted site. It helps to be aware of suspicious-looking content, no matter where you see it.
In pretexting attacks, attackers create a false scenario designed to manipulate targets into giving up information. One common technique involves attackers requesting information to confirm your identity. Advanced versions of this attack might even convince victims to take actions that will allow hackers to access a secured network.
As a rule, you should never give sensitive information to anyone who calls or emails you unexpectedly, and use respectful caution with strangers. If your job involves sending sensitive information, make sure you follow company protocols to the letter: they’re typically designed to protect against these scenarios. Attackers rely on you bending the rules.
Tailgating attacks rely on how quickly most people build trust to gain access to physical locations. By striking up friendly conversations and acting like they belong, attackers can talk their way into secured areas. Common stories involve lost key cards or, better yet, technical support requested by upper management. The name comes from the most rudimentary form of the technique in which attackers breach a restricted location by following closely behind an authorized person.
Be politely cautious about the identity of all strangers, and never help strangers to access a secured location, even if they look legitimate. This goes doubly so for unexpected repairmen or utility workers.
Attackers sometimes “bait” individuals by offering something they want. For example, attackers might offer free music, movie or pornography downloads. These downloads, of course, contain malicious programs. You’ll find this frequently in illegal torrents or other copyright-subverting downloads. Because targets want the bait, they won’t be as suspicious of even obviously-malicious programs. Attackers might also leave mysterious USB drives lying around, hoping a curious soul will plug one into their computer and allow the auto-running malware to dump its payload.
Always question deals that seem too good to be true. Never download free music or movies, and get your adult material from reputable sources. And if you do plug a mystery device in to your computer, you deserve whatever you get.
You can prevent yourself from most social engineering attacks by slowing down and thinking before you act. Be friendly but cautious with strangers requesting even innocuous information, and raise your general level of suspicion. Don’t believe a story just because it sounds good or the source looks credible. And, of course, never provide confidential information, or access to that information, to unknown parties.