Social engineering is a form of manipulation someone might use to get another person’s sensitive security information. It is important to know how to identify social engineering and be able to effectively avoid it. Some common forms of social engineering include: pretexting, all types of phishing scams, baiting, quid pro quo, and tailgating.
Pretexting is a type of social engineering tactic that is very common among scams. This typically consists of a ploy that grabs the victims attention. For example, they will send texts or emails claiming:
“As an ongoing security check, please visit the link below and verify your information. There has been a rise in criminal activity, and we want to confirm that you are not being influenced.”
Scammers use this method of scamming due to the fact that a lot of people fall victim to this easily. When a message sounds very formal and informative, victims tend to follow the directions the scammer gives them. This may include pressing a link or downloading an image.
Tips on avoiding pretexting:
- Don’t rush. Take the time to figure out who is messaging you.
- Does the message or call you are receiving sound secure? Look for grammar errors and mistakes.
- Make sure that you are keeping your personal information safe. Don’t give it to anyone over the phone, email, or text without being sure that the person you are communicating with is who you think they are.
Quid Pro Quo
Quid pro quo style social engineering involves a scammer offering their victim a benefit in exchange for information.
“You seem to be having some computer issues. No problem, I can help! The only thing I need is your credentials…”
Sometimes “a researcher” asks you for your password as part of an experiment or tells you they could offer access to an online game/service in exchange for your login credentials. If an offer sounds too good to be true, it is most likely a quid pro quo attack.
Ways to avoid a quid pro quo attacks:
- Never give personal account info unless you initiated the exchange
- Always call the company back via the number listed on their website
- Change your password regularly
Phishing is another social engineering technique that is used for contacting a business organization or an individual person as an attempt in getting a hold of the victim’s personal information.
There are two other types: spear phishing and vishing.
Spear phishing is very similar to phishing, but it consists of the hacker already knowing your name, address, and other personal information about the victim. Vishing (voice) includes the hacker calling by phone to get your information.
How to avoid becoming a victim:
- Do not respond to unknown or unsecure text messages, emails, or phone calls.
- Do not use the same password across all of your accounts.
- When trying to figure out if a website is secure, check if “https” is included in the URL. The “s” stands for secure.
- Use good protection across all of your technology.
Tailgating is a type of real life attack where a person impersonates someone to get into a place they do not have access to. They will pose as a company worker, maintenance man, delivery person, or anything else that will allow them into the company.
The most common attack is the delivery man who will wait for an employee to open the door and then ask them to hold it open. This method of social engineering does not always work, especially in corporate settings. Bigger companies typically require authorization cards for almost every door. However, smaller companies are more accessible using personality skills and charm as well as being able to outsmart your victims.
Attackers tailgate to steal confidential information for malicious purposes. The losses from tailgating can be immense depending on the target. Companies and people can lose hundreds of thousands of dollars.
How to avoid becoming a victim:
- Educate staff on why it can be dangerous to open the door for someone they don’t know
- Train reception staff to not allow unauthorized personnel in the building
- Incorporate visitor badges
- Require employees to show their ID badges or picture IDs
- Make sure video surveillance cameras or up to date and recording
- Having security guards on the premises will lower the risk of tailgating
- Employees should avoid talking to strangers on the work premises and not let them in with their credentials.
Authors Mia and Milan are seniors at Northlake Christian High School in Covington and interns here at Yes Tech. They are researching Cybersecurity threats and sharing prevention tactics to increase Cybersecurity awareness in young adults.