What is Social Engineering?
Have you ever heard about Social Engineering?
This is the art of manipulating people into doing things, particularly security-related—such as giving away computer access or revealing confidential information. Rather than breaking into computer networks or systems, social engineers use psychological tricks on humans.
In many cases, these hackers use small pieces of information to gain trust or access so they can then carry out their cons fully. Here are a few examples:
- A hacker might call saying your credit card has been flagged for unusual activity and the bank needs to verify your information (credit card number, mother’s maiden name, etc.) before issuing a replacement. He or she will offer up the last four digits of your card and perhaps the date and amount of a recent transaction (things easily found in your trash) to gain your confidence and make this sound legit.
- Another classic con is when an attacker poses as someone in your company or a consultant (e.g., tech support—complete with fabricated ID card and clipboard) or another trusted outside authority such as an auditor. With a little confidence, anyone could just tailgate their way into any building.
- Hackers might even pose as your Facebook friends or other social media connections and then glean information from your profile or your posts.
- Phishing attacks and rogue websites that pretend to be trusted companies all also fall into this category of cons.
- And, as we’ve seen recently, hackers can get into accounts through lax company procedures which require only minimal bits of information (e.g., billing address and email) to identify users.
Social engineering, as you can see, relies on our gullibility and the limited amount of information we use to verify people’s identities.
How to Avoid Being The Victim of a Social Engineering Hack
The most important thing you can do to prevent being socially engineered yourself is to embrace healthy skepticism and always be as vigilant as you can. Just being aware of common tricks puts you one step ahead of the game (but don’t get too cocky—remember, question everything).
Never give out any confidential information—or even seemingly non-confidential information about you or your company—whether it’s over the phone, online, or in-person, unless you can first verify the identity of the person asking and the need for that person to have that information. You get a call from your credit card company saying your card has been compromised? Say okay, you’ll call them back, and call the number on your credit card rather than speaking to whoever called you.
Always remember that real IT departments and your financial services will never ask for your password or other confidential information over the phone.
Minimize The Damage Done from Socially Engineered Attacks
You can protect yourself from phishers, scammers, and identity thieves, but there’s only so much you can do if a service you use is compromised or someone manages to convince a company they’re you. You can, however, take a couple of preventative measures yourself.
- Avoid having all your eggs in one basket (or the dreaded “single point of failure”): The more intertwined and dependent your accounts are the more widespread the damage a security breach can cause you—e.g., if you use your Gmail address for every service’s password recovery.
- Use different logins for each service and secure your passwords: In a similar vein, never use the same password more than once. And make sure your passwords are strong.
- Use two-factor authentication: This makes it harder for thieves to get into your account, even if your username and password are compromised
- Get creative with security questions: The additional security questions websites ask you to fill in are supposed to be another line of defense, but often these questions are easily guessed or discoverable (e.g., where you were born). You can shift the letters in your answer or use your own special coding system to make sure only you know those security answers.
- Use credit cards wisely: Credit cards are the safest way to pay online(better than debit cards or online payment systems like PayPal), because of their strong protections. If you use a debit card and a hacker gets access to the number, your entire bank account could be drained. You can further secure your credit card by not storing card numbers on websites or using disposable or virtual card numbers (offered by Citibank, Bank of America, and Discover).
- Frequently monitor your accounts and personal data: To be on the lookout for both identity theft and credit card fraud, check in with your account balances and credit score regularly. Several services offer free ID theft monitoring, credit monitoring, and questionable credit charges. You can even use Google Alerts as an identity theft watchdog.
- Remove your info from public information databases: Sites like Zabasearch and PeopleFinders publish our private information (like address and date of birth) online for all to see.
- Regularly back up! No explanation necessary, right?
These steps won’t prevent your account from being compromised if a service provider falls for a social engineering hack and hands your account over to the attacker, but they may at least minimize the damage possible and also give you more peace of mind that you’re doing as much as you can to protect yourself.