Social-engineering attacks use psychology to manipulate their targets into revealing financial information. Techniques use human emotions and instincts to drive people to act against their best interests.
How Social Engineering WorksA social-engineering attack starts with a hacker convincing one under-informed, stressed, or trusting person to do what they say. They identify targets who have confidential information, money or credentials.
- email address
- phone number
- social media account
Once a scammer has information, they offer a “hook” to interest you. When the hook attracts you, the thief executes the social engineering attack.
For example, you could click on a link for a give-a-way or a job interview, and the scammer secretly installs malware on your device. Your computer is infected, and confidential information is stolen.
The scammers then disappear, leaving little evidence behind.
Scammers Use Phishing, Vishing, and SmishingPhishing attacks use malicious websites or emails to gather personal information by posing as a trustworthy source.
They may send an email from a credit card company you do business with requesting information to verify your account. When the victim responds, the scammers gain access to their accounts.
Vishing leverages voice communication. It is combined with other social engineering to convince a target to call a number. The criminal then tries to convince the victim to send money for a family member’s emergency or share financial information by posing as a trusted business.
- email addresses
- phone numbers
Common Indicators of PhishingThere are several signs to look for that indicate phishing. First, check the suspicious sender’s email address. It may look like a reputable company, but you may notice it’s been slightly altered. For example, a few characters may be changed or omitted.
A trusted organization will write a personalized greeting. But a phishing email will be a generic such as “Dear Valued Customer.”
Poor grammar or misspellings are an indicator. A reputable company will have cleanly written emails.
An email may use a sense of urgency or importance to open an attachment. When you open it, it delivers malware.
Avoid Social Engineering Like PhishingBe very suspicious of unsolicited phone calls. If an unknown person calls you and can’t verify themselves, hang up and verify the caller with the company. Call the number you have or look it up. Don’t use a number the caller gives you.
To avoid clicking on a spoofed hyperlink or website, hover over the URL with the cursor. Look to see if the text matches the URL (website address). If it doesn’t match, it’s spoofed. Better yet, don’t open any links in emails you’re unsure about.
Never reveal any personal information online. If you think the company is legitimate, verify it by contacting it directly. Go to the company’s website or call them. Don’t click through the link on the email, look the website up separately. Also, don’t call the number on the email; look it up.
Baiting and Water-Holing Jeopardize FinancesThe difference between baiting and phishing is the source. Baiting poses as a legitimate company to convince the victim to turn over personal information.
Baiting is like dangling a lucrative carrot in front of the victim. The goal is to have the victim take action. Something could be the free download of a movie or a free offer from your favorite store. Once acted on, the victim’s computer is infected. Personal information is then stolen.
Baiting could also be a website set up to look legitimate. It will offer something discounted to gain access to your credit card information.
Water-holing takes advantage of people who regularly visit and trust a website. The criminal will gather information on a targeted group of individuals to determine the favored websites.
Avoid Baiting and Water-HolingOne way to avoid baiting is never to follow links. Be skeptical about any emailed offers. Always use antivirus and anti-malware software.
A watering hole attack takes advantage of any vulnerabilities in your device’s software. So make sure your software is always up to date.
Protect Against Social Engineering AttacksNinety-eight percent of all cyberattacks are social engineering. It’s vital to be vigilant and just use good common sense. Make a habit of suspecting any unsolicited email or phone call received.
Verify the identity of everyone who contacts you. And don’t use their email address or phone number; look up the legitimate one.
It might be cliché, but if something seems too good to be true, it is.