Social engineering differs from regular hacking in that social engineers access confidential information with your permission. In essence, they’re con artists good enough to convince you to give them your information outright or manipulate you into thinking their access is legitimate.
Here are five examples of social engineering attacks:
Baiting involves dangling something you want to entice you to take an action the criminal desires. It can be in the form of a music or movie download on a peer-to-peer site, or it can be a USB flash drive with a company logo labeled “Executive Salary Summary Q1 2013” left out in the open for you to find. Then, once the device is used or downloaded, the person or company’s computer is infected with malicious software allowing the criminal to advance into your system.
Phishing involves false emails, chats, or websites designed to impersonate real systems with the goal of capturing sensitive data. A message might come from a bank or other well known institution with the need to “verify” your login information. It will usually be a mocked-up login page with all the right logos to look legitimate. It could also be a message claiming you are the “winner” of some prize or lottery coupled with a request to hand over your bank information, or even a charity plea after a big natural disaster with instructions to wire information to the “charity/criminal”.
Pretexting is the human equivalent of phishing, where someone impersonates an authority figure or someone your trust to gain access to your login information. It can take form as fake IT support needing to do maintenance, or a false investigator performing a company audit. Someone might impersonate co-workers, the police, tax authorities or other seemingly legitimate people in order to gain access to your computer and information.
Quid Pro Quo
Quid Pro Quo is a request for your information in exchange for some compensation. It could be a free T-shirt or access to an online game or service in exchange for your login credentials, or a researcher asking for your password as part of an experiment in exchange for $100. If it sounds too good to be true, it probably is quid pro quo.
Tailgating is when someone follows you into a restricted area or system. Traditionally, this is when someone asks you to hold the door open behind you because they forgot their company RFID card. But this could also take form as someone asking to borrow your phone or laptop to perform a simple action when they are actually installing some malicious software.
Beware of social engineering. Although we never think it will happen to us, sometimes the con artists are clever enough to fool the most cautious of people. Understanding the types of social engineering attacks is the first step towards preventing them. A good rule of thumb is to always have a good on-premise or cloud backup in place. If something does happen to your information and data, you’ll be glad you have a copy.