What is social engineering?
Social engineering, in broad terms, is the act of influencing someone to take a specific action. Social engineers use our human nature against us. They manipulate our trust in order to get us to do what they want, whether that’s surrendering our personal information or taking actions that put University information and systems at risk.
Social engineers avoid the complicated task of breaking through computer security systems by targeting the human user.
Social engineering requires less effort and yields greater success because it pits the attacker against a human being whose trust and desire to do good work may leave them vulnerable to deception. It is far easier for attackers to gain access to systems by simply asking for it.
Remember, you are a target.
How do social engineering attacks work?
Traditionally, social engineers ran their cons in person. With the advent of the digital age, however, attackers immediately took to social engineering as a means of getting information or system access by using impersonation to con people into trusting them. The consensus among security experts is that social engineering is the basis for most data breaches, and it represents significant risk to unaware users.
In order to influence others, attackers need to build trust. Trust is what makes a potential victim less likely to question the attacker and more likely to provide information to him or her.
In order to successfully build trust with you, attackers rely on pretexting. Pretexting is the act of establishing a context for a specific situation, specifically to facilitate a con. In social engineering, attacks disguise their true intentions by using pretexting to establish a seemingly legitimate need for your information.
Examples of pretexting include posing as an account manager at a bank to request your financial information, posing as a customer service representative at a retail store to request a credit card number, or masquerading as a help desk employee to obtain your password.
Social engineering scams use several general tactics while pretexting:
- Impersonation: The attackers may impersonate a legitimate individual or organization to lull you into a false sense of security. “I’m from McAfee’s help desk and want to help you update your operating system to keep you protected.”
- Urgency: The attacker may create a false sense of urgency to trick you into taking action before thinking. “We must make this change immediately or no one will get paid, for example.”
- Innocence: The attacker may ask seemingly harmless questions to trick you into surrendering personal information without your realizing how important it is. For example: “Are you in the office today?” Or, they may ask something that could be one of your backup security questions, such as: “What is your pet’s name?”
What are social engineering tools?
Because the attacker wants access to your device or your information, he or she needs to interact with you in some way. Interaction allows the attacker to deceive you. Attackers using social engineering have a variety of ways to contact you:
- Email messages: Attackers can use phishing scams to trick you into visiting a malicious website, downloading malware, or replying with information.
- Phone calls: They can use vishing scams (a portmanteau of voice and phishing) to trick you into surrendering information or clicking or texting when you shouldn’t.
- Websites: They can use malicious websites to deliver malware, harvest information, or trick you into entering information.
How can you avoid social engineering?
- Always be cautious, and verify information before taking action. Don’t give personal or University information to anybody you aren’t certain has a right to it.
- Be wary of unsolicited email messages, phone calls, or visits from individuals asking about employees or other internal information. If an unknown individual claims to be from a legitimate organization, try to verify his or her identity directly with the company.
- Do not provide personal information or information about your organization, including its structure or networks, unless you are certain of a person’s authority to have the information.
- Do not reveal personal, financial, or confidential information, and do not respond to email solicitations for this information. This includes clicking and following links sent in email.
- If you are concerned about the legitimacy of a communication, forward it to reportaphish@udel.edu.
For more information, visit: https://us-cert.cisa.gov/ncas/tips/ST04-014