Imagine you receive a message on Facebook from a good friend you haven’t seen for some time but you’ve been meaning to get in touch with them. The message says: “I just saw this movie [URL link] and it made me think of you. I miss you! XOXO.” What would be your very first reaction? Would you click?
Someone in the Living Security family received a message like this and fell for the scam, but was courageous enough to share their failure. This is a great learning opportunity around social engineering. After all, you only learn from the mistakes you learn from!
What is Social Engineering
Social engineering is as it sounds - using social skills to influence human behavior. Cybercriminals take advantage of this, knowing that people often voluntarily give up confidential information or click links when they are curious or caught off guard. They exploit our emotions and our willingness to trust and believe.
In the above example, the scammer was trying to take advantage of an emotional connection to a friend and an increased willingness to react quickly to that message.
Tactics Cybercriminals Use
This is not new. Since the dawn of crime, people have learned how to exploit people’s trust to get their way. But tactics will change as the spirit of the times change.
Today, things like the Pandemic, riots and space launches are being used to convince people to click links or download attachments in emails. As we re-open our societies, they exploit this theme even more.
Recent statistics show that a large majority of cyberattacks rely on some form of social engineering. The scammers approach via phone, in the office or online. The most common tactics used by criminals are:
- Pretexting, where they use a pretext or a lie to capture our attention;
- Phishing, where we receive an email allegedly coming from a trusted institution, asking us to provide confidential information;
- Vishing, which is the same as phishing, but happens over a phone;
- Quid Pro Quo, where we’re promised a benefit in exchange for information, for example when we’re called by an IT technician saying he’ll repair our PC but needs our password to do it;
- Email and accounts hacking, which is exactly the situation that happened above – a cybercriminal logging into a friends’ Facebook account and baiting all social media contacts.
How to Protect Ourselves?
There are some things you can do to mitigate the potential risk and avoid traps the scammers set up. To stay safe online, we encourage you to follow these rules:
- Slow down and always stay alert. Scammers don’t want you to think twice before you act. This is why the messages they send or calls they make have a sense of urgency. It is OK to stop, breathe and report suspicious activity to the helpdesk.
- Be suspicious of any unsolicited messages. If the email looks like it is from a company you know, visit their website typing their address into the search engine and finding it through known-good sources.
- If you are called by your bank or any other organization which says they have important information re: your account, hang up and call the organization using the number you know that belongs to them.
- Never reply to any requests for financial information or passwords.
- Always check out the links before you click, even if they “look official”.
- Never open or download an attachment or click a link unless you are SURE it is a valid one.
- Never believe in messages congratulating you on winning something or promising you will get something for free. It’s unfortunately never the case.
- Install a good antivirus software on all your devices and keep it updated. Set your spam filters to high.
- If you’re unsure what to do, check with your IT and security teams!
- Get trained, get trained, get trained! The more you know about social engineering, the more alert and safe you become. Scammers modify their techniques and become shrewder as we speak, so it’s important to regularly refresh your knowledge and have the most up-to-date info.
As kids, we learn that not everyone knocking on our door is trustworthy. The same is still true in the cyber world. Security is about knowing who you can trust. And to know that, you need to have the right information to make a decision. Get trained and stay alert! Stay safe and try on a healthy sense of paranoia!