You can protect your passwords, install antivirus software, and set up a firewall, but ultimately, hackers can always exploit a weak link: humans. A whole type of hacking, known as social engineering, has developed around this vulnerability. Using a combination of technical hacking, interpersonal skills, and manipulation, the social engineer can extract sensitive information from a target. Despite the craftiness of social engineering attacks, it is possible to spot them and protect yourself from them.
1. Phishing Attacks
Phishing is the practice of disguising emails and other messages as though they came from reputable sources with the goal of influencing the recipient to reveal sensitive information. The title and content of the messages are usually worded to induce fear, create a sense of urgency, or pique your interest with freebies. For example, receiving an email with the title "Urgent: You are entitled to a Tax Refund" might prompt you to make rash decisions, thinking there's a limited window in which to claim this supposed refund.
How to Protect Yourself from Phishing
- Don't click on links in emails. If you have doubts about the safety of the email, don't click on the links, even if they look legitimate. Instead, open the email on your desktop and hover your mouse over the link to preview the URL. In cases of phishing, you would usually see that the preview redirects to a suspicious website. You could also use other sites to check if a link is safe.
- Don't download attachments. The easiest way to infect your device with malware is to download attachments. Most web-based mail clients will scan attachments to let you know if they are safe, but they're not foolproof. If you do download an attachment, scan it with an antivirus before opening it. Also, check the file extension. Cybercriminals often disguise malware as something like "document.pdf.exe" to trick you into seeing the attachment as a PDF document instead of an executable program. To be on the safe side, never open (or download) ".exe" attachments.
- Check the sender's address. Does the sender's name match their email address? A sender might appear as "PayPal" but the address may look like "firstname.lastname@example.org" or "email@example.com." If the email address looks unusual, then don't click on any links or download attachments.
2. Vishing Attacks
Vishing is similar to phishing but it is more personable. Instead of texting or sending an email, the threat actor could call their target, pretend to be a legit employee of a company or government agency, and try to establish rapport. This attack can be effective as talking to an actual human can make people ease their usual defenses. A common example is the Windows tech support scam, where a threat actor asks you to verify your password, an OTP, or other confidential information.
How to Protect Yourself From Vishing
- Verify the caller's ID. If someone claims to be from your bank, do a security check. Get a full name, department, and branch. Then, visit your bank's official website and call customer service on a separate line. Make sure you feel confident that they are who they say they are.
- Don't share your account PIN, password, or OTP over the phone. No one should call you to ask for your credit card information, social security number, account password, or card PIN over the phone. If someone asks for these details, it is most likely a scam. End the call and report the incident to your bank's security center.
- Be wary of personable callers. While some people are just nice and genuinely fun to talk to, this can also be part of the social engineer's tactic to make you feel at ease and more likely to disclose information.
3. Social Media Scams and Catfishing
If you look up your full name on Google, you will most likely see your digital identity and footprint. This includes links to your Twitter, LinkedIn, Facebook, or Instagram accounts, as well as pictures of you. Now, consider what information you get from those links—approximate (or detailed) location, places you visit, friends, place of work, and more. It can be terrifying just how much information you post, even when you don't mean to.
Cybercriminals can scrape the web for this data, use it to understand you, then craft and launch an effective social engineering attack. They may pretend to be old classmates, acquaintances from a trip you went on a long time ago, or even a secret admirer.
How to Protect Yourself From Social Media Scams
- Consider what you post. Avoid geotagging your photo or use a general location like the city or country only. Look for and remove or blur sensitive information in the photo background.
- Adjust your privacy settings. Social networks love us to share everything with everyone—that's why Facebook's privacy settings are so complicated, but you can still take control of your privacy with those settings. For example, you can restrict people who can view your account activity to friends only or even handpick the contacts who can view your post.
- Cull friends you don't know. If you created your account a long time ago, odds are you have friends you don't even know and have never interacted with. Removing people you don't know from your friends list can help reduce the chance that your posts will be seen by strangers.
- Prevent search engine indexing. Social media platforms like Pinterest, Facebook, Reddit, and LinkedIn have settings that you can enable to prevent your account from showing up in search results. Most of these platforms have this setting as "disable search engine indexing."
- Go private. A private account means that only followers you approve can see your posts. You don't have to make all your social media accounts private. The ones where you're more likely to disclose personal stuff or life events will do.
- Think before you post. Just because the option to post is there, doesn't mean you have to. Thinking about what you post can help you avoid over-sharing publicly and create a healthier relationship with technology.
4. Dumpster Diving
You most likely still get confidential information (medical records, bank statements, or correspondence from the government) in your physical mailbox. And if you bring work stuff home, odds are some papers will end up in the trash. Your garbage can be a treasure chest to determined attackers. Dumpster diving is when someone rifles through the trash with the hope of finding information about you they can use for malicious purposes.
How to Keep Your Private Files From Dumpster Divers
- Shred everything. Individual pages may seem harmless and it's difficult to see the harm in throwing away a receipt. However, when put together with other documents, trashed papers may provide attackers with enough context to know more about you than you intended. Shred or thoroughly tear papers into pieces before you discard them.
- Move online if you can. Doing your business on the internet generates less paperwork for you, and is arguably more convenient. Most banks and service providers have moved online. If your service provider allows for online statements, consider using those instead.
- Keep confidential information safe. It seems old-fashioned, but if you need to keep paper copies of documents containing private or confidential information, keep them behind lock and key in a safe.
Appealing to people's curiosity (or sense of greed) is the reason this attack works. The attacker will leave an infected USB, CD, or other physical media and wait for someone to pick it up, insert it into their machine, and become infected.
How to Protect Yourself from Baiting Attacks
- Don't use random USBs or storage devices. If you don't know what it is, don't plug it into your machine.
- Install an antivirus suite. If you connect an unknown device to your computer, ensure you have the best protection you can. Some malware can evade, and even disable, antivirus software, but a lock on the door is better than leaving it wide open.
This attack is most often directed at companies, although not exclusively. This is when the attacker will gain entry to a physical building by following or tailgating behind an authorized person.
How to Protect Yourself From Tailgating
- Be aware of who is around you. A good attacker won't stand out, but if someone you don't recognize has been following you around all day, keep an eye on them.
- Don't be afraid to question. Tailgating is most common at work, where an attacker is hoping to gain information about the company. If someone follows you into your work building, ask them where they are going, and if you can help them find their way. Doing this may cause the criminal to give up on their attack.
It's too easy to misspell a website address. And that's exactly what the social engineer wants. These attackers claim websites that are similar to popular destinations (think "Amozon" rather than "Amazon") and then use these pages to either redirect users or capture login information for the real site. Some of the larger sites already give you a helping hand with this and redirect misspelled variations of their URL to the correct one.
How to Protect Yourself From Typosquatting
- Pay attention when typing website addresses.
- Install good antivirus software. Some of the typosquatting sites are going to try and get you to download malware. A good antivirus suite will alert you to malicious files and websites before they cause real harm.
- Bookmark frequently visited sites. This way, you will always know that you are heading to the right website.
Clickjacking is a technique used to trick a user into clicking on something different to what they thought they were.
An example of this would be if a "lolcat" video were posted on Facebook that looked like a YouTube video. You click the play button but instead of watching some cats roll around, you end up on a page asking you to download software, or anything other than watching that cat video.
How to Protect Yourself From Clickjacking
- Don't use in-app browsers. In-app web browsers don't have the same functionality as your default web browsers and may not alert you when you visit malicious sites.
Social Engineerings Attacks Are Clever but Can Be Avoided
As an individual, you have "privacy through obscurity." So, unless you are a celebrity or employee of a company, then you are unlikely to be specifically targeted. Regardless, you should keep these habits in mind, but don't let them control your life.