Social engineering is an interesting name for a devious set of skills. The job of a social engineer is to manipulate or trick people into giving away confidential information. Those targeted by social engineers won’t realize it until it’s too late to do anything about it. Unlike other computer problems that can be solved through technology, protecting yourself against social engineering requires human smarts. It’s important to have at least a basic understanding of what social engineering is and how it works so that you can avoid becoming a victim.

There are countless ways that fraudsters use social engineering to collect sensitive information. Here are a few examples:

Vishing

You may get a call from someone claiming to be in your IT department or from your bank. They may say something like, “I’m in the IT department and we’re investigating a security issue with your account. Can you give me your password to help us track down the problem?”

Phishing:

Emails that trick you into divulging your password or other information. For example, a message may say, “Your Amazon order totaling $976.22 is complete. If you did not make this purchase, click this link to stop the order.”

Baiting:

Leaving USB or other media with malicious content in a public place in the hopes that someone will pick it up and put it in their computer.

These are only a few examples. The entire list is extensive and includes any method of targeting an actual person to help gain access to data or information they wouldn’t otherwise have. It plays on our desire to trust others, which is a serious weakness when it comes to protecting yourself online.

There are a few tips to remember to ensure you’re not the victim of social engineering.

Don’t Share Your Password

First, don’t give out your password to anyone. Even if your trusted IT person asks for it, it’s okay to say “no”.

While we’re on the subject of passwords, many websites now require that you provide answers for “security questions”. The problem with security questions is that they can easily be used to gain access to your account by someone other than you. For example, if a question asks, “Where did you grow up?”, an attacker can easily look on sites such as Facebook and view your hometown. Even if you don’t specifically list your hometown, they can look at where most of your friends live and make a good guess.

Or consider the question, “What is your maternal grandmother’s first name?” This can likely be obtained with just a little internet sleuthing. You could also imagine someone trying to trick you through a simple conversational question such as, “Both my grandmother’s were named Beatrix, which always fascinated me. What was the name of your grandmother?” A few simple, directed questions like that and you’ve suddenly given up all the information someone needs to access your bank account.

You may want to consider using fictitious information when answering security questions. If you use this trick, make sure you remember your answers!

Don’t Click Suspicious Links, Especially in Email

Next, don’t click on suspicious links. When you see the Amazon message stating that you’ve made a large purchase that you know you didn’t make, DO NOT CLICK THE LINK! Attackers are hoping that in a brief moment of panic you’ll click the link before thinking.

If you get these type of emails, go to Amazon.com directly, login to your account normally, and check for activity. These messages also commonly come from people pretending to be Microsoft, PayPal, Apple, UPS, etc. As a general rule, it’s almost always bad to click links in email. These links notoriously install malicious software on your computer, or try to trick you into providing your password. In each case, delete the questionable email and go directly to the website in question by typing it in your browser (Microsoft.com, Apple.com, PayPal.com, etc.).

Don’t Put Unknown USB Drives (or CDs or Disks) in Your Computer

“Baiting” is another way that criminals gain access to confidential information. This normally involves leaving a USB thumb drive in a parking lot where it is picked up by the victim. The person who finds the drive will likely put it in their computer hoping to identify the owner. Once the drive has been connected to the computer, the hacker’s software can be quickly and silently installed. This software may provide secret, remote access to the computer. It may send confidential information out to the internet. There is even a “kill drive” that can fry your computer if you put the drive in your system.

If you find a mysterious USB drive, don’t risk putting it into your computer. If you’re concerned that there may be something important on the drive, the best thing to do is give the drive to your IT department for investigation. If you have any doubt, just get rid of the drive.

As nice as it is to think that everyone on the internet is just sharing cat videos, the truth is that you are always being targeted by others with malicious intent. Knowing that you’re better equipped to prevent social engineering than your computer, be smart when you go online and be extra careful about who you share information with. If in doubt, it’s better to be safe than sorry.

Need help securing your computers and data? Need to train your employees on how to avoid vishing, phishing, baiting, pharming, and smishing attacks? We can help! Contact us to find out how.


E Squared C is a managed service provider (MSP) providing professional IT services for businesses in Nevada and California. By partnering with E2C, your business gains a team of experts who solve IT problems with reliable, efficient, and secure IT management services. Contact us to find out how our experts can help your business!