Not-So-Social Engineering: Twelve Ways to Get “Got”

Most of us are social beings. We enjoy connecting with and helping each other. We engage in social traditions to solidify our connections to each other. It’s no surprise then that cyber criminals use this to exploit our inclination to trust, our willingness to assist, and our need to belong. This fundamental aspect of our nature is what makes social engineering so effective. Our social behaviors can sometimes lead us into traps set by bad actors so understanding this vulnerability is crucial to helping us recognize when our social instincts are being manipulated for nefarious purposes. Knowledge is powerful, so here are 12 ways in which bad actors attempt to use our social nature to gain access to our personal, financial and other data and ways to mitigate the attempts. When armed with this information, we can be empowered to take the necessary steps to protect ourselves and still engage positively with the world around us.

1. Whaling: Phishing attacks that target high profile individuals like executives or wealthy individuals. Purpose: To gain access to valuable information or high value assets. Avoidance: Train high-level executives and other key personnel to recognize phishing attempts and implement robust email filtering and authentication protocols.

2. Pretexting: Creating a fabricated scenario to obtain private information from an individual. Purpose: To gather information for further attacks or to gain unauthorized access to systems. Avoidance: Always verify the identity of the person requesting information, especially if the request is unusual or sensitive. Use established communication channels.

3. Baiting: Leaving a physical device, such as a USB drive, in a location where it will be found and used by someone. Purpose: To install malware or gain access to a network. Avoidance: Do not insert unknown USB drives or download files from untrusted sources. Use antivirus software to scan any new devices.

4. Quid Pro: Offering a service or benefit in exchange for information or access. Purpose: To exploit individuals’ desire for help or services. Avoidance: Be skeptical of unsolicited offers of help or services, especially if they require access to your personal information or systems.

5. Piggybacking: Convincing someone to allow you to follow them into a restricted area, often by pretending to have forgotten your access card. Purpose: To gain unauthorized entry to secure areas. Avoidance: Never allow someone to enter a secure area with you unless you can verify their identity and authorization.

6. Impersonation: Pretending to be someone else to gain access to information or systems. Purpose: To trick individuals into divulging sensitive information or granting access. Avoidance: Verify the identity of anyone requesting sensitive information or access, particularly through unexpected or unofficial channels.

7. Shoulder Surfing: Observing someone entering sensitive information, such as a PIN or password. Purpose: To steal login credentials or other sensitive information. Avoidance: Be mindful of your surroundings when entering sensitive information. Use privacy screens on devices and avoid entering passwords in public places.

8. Social Media Mining: Collecting information from social media profiles to use in social engineering attacks. Purpose: To gather personal details that can be used for targeted attacks. Avoidance: Limit the amount of personal information you share on social media. Adjust privacy settings to restrict access to your posts and profiles.

9. Honey Trap: Using romantic or sexual lures to manipulate individuals into revealing sensitive information. Purpose: To exploit personal relationships for access to information. Avoidance: Be cautious about forming online relationships, especially with individuals who request personal information or favors early on.

10. Reverse Social Engineering: Creating a problem and then offering a solution, making the target seek out the attacker for help. Purpose: To gain the target’s trust and obtain sensitive information. Avoidance: Verify the legitimacy of any unsolicited offers of help. Contact the supposed helper through official channels before providing any information.

11. Evil Twin Attack: Setting up a rogue Wi-Fi network that appears to be legitimate to intercept data from users who connect to it. Purpose: To steal sensitive information such as login credentials or financial information. Avoidance: Avoid connecting to public Wi-Fi networks, especially those without passwords. Use a VPN when accessing the internet from public places.

12. Scareware: Using alarming messages to scare users into thinking their system is infected with malware, prompting them to take immediate action. Purpose: To trick users into installing malware or paying for fake security services. Avoidance: Do not trust unsolicited security alerts. Use reputable antivirus software and run regular scans on your system.

Understanding these tactics and implementing the associated preventive measures will enable you to significantly reduce the risk of falling victim to them.