What is Social Engineering?

Social engineering the act of manipulating, influencing, or deceiving a victim to gain control over a computer system or steal personal and financial information. It uses psychological manipulation to trick users into making security mistakes or giving away sensitive information.

Social engineering attacks happen in one or more steps. A perpetrator first investigates the intended victim to gather necessary background information (such as potential points of entry and weak security protocols) needed to proceed with the attack. Then, the attacker uses a form of pretexting (such as impersonation) to gain the victim's trust and provide stimuli for subsequent actions that break security practices. For example, revealing sensitive information or granting access to critical resources.

Types of Social Engineering Attacks

Social engineering attacks come in many different forms, and can be performed anywhere involving human interaction. The following are common forms of digital social engineering attacks:

Phishing: The process of attempting to acquire sensitive information such as usernames, passwords, and credit card details by masquerading as a trustworthy entity using bulk email, SMS text messaging, or phone calls. Phishing messages create a sense of urgency, curiosity, or fear in the message's recipients. The message will prod victims into revealing sensitive information, clicking links to malicious websites, or opening malware attachments.

Baiting: A social engineering attack where a scammer uses a false promise to lure a victim into a trap that may steal personal and financial information or inflict the system with malware. This can be in the form of a malicious attachment with an enticing name.

The most common form of baiting uses physical media to disperse malware. For example, attackers leave the bait of malware-infected flash drives in conspicuous areas where potential victims are certain to see them. When the victim inserts the flash drive into a work or home computer, the malware is automatically installed. Baiting scams are also found online in the form of tempting ads that lead to malicious sites that encourage users to download malware-infected applications.

Tailgating: Also known as "piggybacking." This type of physical breach is where an unauthorized person manipulates their way into a restricted or employee-only authorized area through social engineering tactics. The attacker might impersonate a delivery driver or custodian worker. Once the employee opens the door, the attacker asks the employee to hold the door, thereby gaining access to the building.

Scareware: Scareware involves victims being bombarded with false alarms and fictitious threats. Users are deceived into thinking their system is infected with malware, prompting them to install software that grants remote access to the criminal or pay the criminal to preserve sensitive video that the criminal claims to have.

Dumpster Diving: A scammer will search for sensitive information, e.g., bank statements, pre-approved credit cards, student loans, and other account information in the garbage when it hasn't been adequately sanitized or destroyed.

Quid Pro Quo: Quid pro quo involves a criminal requesting the exchange of sensitive information such as critical data, login credentials, or monetary value in exchange for a service. For example, a computer user might receive a phone call from a criminal who, posed as a technology expert, offers free IT assistance or technology improvements in exchange for login credentials. If an offer sounds too good to be true, it is most likely a scam and not legitimate!

Social Engineering Prevention

  • Don't open email attachments from suspicious sources. Even if you know the sender and the message seems suspicious, it's best to contact that person directly to confirm the message's authenticity.
  • Use Multi-Factor Authentication (MFA). One of the most valuable pieces of information attackers seeks are user credentials. Using MFA helps ensure your account's protection in case of an account compromise. Follow instructions for downloading DUO two-factor authentication to add another layer of protection for your account.
  • Be wary of tempting offers. If an offer is good to be true, it's probably because it is. Using a search engine to look up the topic can help you quickly determine whether you're dealing with a legitimate offer or a trap.
  • Clean up your social media. Social engineers search the Internet for any information they can find on a person. The more information you have posted about yourself, the more likely a criminal can send you a targeted spear phishing attack.
  • Install and update antivirus and other software. Make sure automatic updates are turned on. Periodically check to ensure the updates have been applied and scan your system daily for possible infections.
  • Back up your data regularly. If you were to fall victim to a social engineering attack in which your entire hard drive was corrupted, it is essential that you have a backup on an external hard drive or saved in the cloud.
  • Avoid plugging an unknown USB into your computer. When a USB drive is found unattended, do not plug it into any of your devices. You should also disable Autorun on your machine. Autorun is a feature that allows Windows to automatically run the startup program when a CD, DVD, or USB device is inserted into a drive.
  • Destroy sensitive documents regularly. All sensitive documents such as bank statements, student loan information, and other account information should be physically destroyed in a cross-shredder or placed in one of the blue or gray locked receptacles, which are incinerated.