Presented by Edward W. Grogan, IV
A major risk to both businesses and individuals, social engineering involves the exploitation of our very nature. Specifically, criminals use social engineering techniques to elicit feelings of fear, uncertainty, pressure, and excitement in the hope that we will deviate from the ways we typically behave. Their goal is to gain access to our sensitive information or take advantage of us for financial gain. Here, we’ll explore five ways that criminals use social engineering to scam us—and tips to avoid falling victim.
1) Impersonate an Authority Figure
People tend to comply with requests from those in authority. Knowing this, a hacker might impersonate an authority figure to pressure you to take a specific action. For example, he or she may pretend to be a law enforcement agent and send an e-mail that claims illegal content was found on your computer. He or she would then advise you to click on a link to obtain additional details. Because you wouldn’t want to be accused of doing anything illegal—and because of the perceived authority of the sender—you may not question the legitimacy of the message. But when you click on the link? Malware would be installed on your machine.
2) Send “Urgent” Requests
A sense of urgency may cause us to rush into making decisions that we wouldn’t usually make. The IRS scam is a great example of using urgency to trick people into taking ill-advised action. A con artist poses as an IRS representative and reports that, if the intended victim doesn’t immediately provide payment information for back taxes owed, a warrant will be issued for the person’s arrest. Who wouldn’t want to avoid this negative consequence? To be sure, victims of this scam often comply with the request, sending precious confidential information into the hands of criminals.
3) Exploit the Fear of Missing Out on Something Scarce
If we believe there isn’t enough of something good to go around, many of us will take ill-considered actions because we fear we’ll miss out on something we want. How would a criminal exploit this tendency? He or she might send phishing e-mails purporting to come from Apple and claiming that, because of huge demand, only a limited number of the latest iPhone is available. “If you click on a link in the message, you might be able to get one. Act now!” In reality, clicking on the link could install malware on your computer or lead you to a legitimate-looking website where you will be asked to supply personal information. Then, the hacker will have your confidential information—perhaps even your credit card number and its expiration date.
4) Put on a Friendly Persona
Some scammers put on a friendly face, doing all they can to appear likeable so that we feel comfortable dealing with them and more likely to let our defenses down. For example, a cybercriminal could pose as a computer technician, stop by your workplace, and strike up a pleasant conversation with the receptionist. Before you know it, the technician has talked him- or herself onto an office computer, ostensibly doing routine maintenance but really stealing whatever sensitive data he or she can find.
5) Pose as Someone You Trust
Social engineers sometimes try to exploit a sense of trust in others, causing potential victims to feel guilty enough to provide the scammers with what they need. These crimes usually result in bigger, immediate payoffs. For example, a scammer could pose as a friend traveling overseas and e-mail you that he or she has been mugged and needs money to return to the U.S. In a situation like this, you might trust that the sender is your actual friend and feel guilty if you don’t lend a hand. The result? You wire the money without doing enough to verify the sender’s identity.
Tips for Spotting an Attack
Now that you understand the techniques used in social engineering, let’s move on to some tips for spotting and dealing with attackers who use them:
- Be wary of any e-mail or phone call that comes with a heightened sense of urgency and that claims to require an immediate response.
- If you get an unsolicited message or call purporting to come from a familiar organization and asking for personal information, hang up and call the entity at a number you know is legitimate or type the organization’s URL directly into your browser and log in from there.
- Always verify the source of a phone call or message before fulfilling a request, clicking on a link, or downloading an attachment.
- If someone calls claiming to be from Microsoft or another tech company and requests access to your computer to fix a supposed problem, it is almost always a scam! If an individual arrives at your office with such a claim, ask for identification or verify his or her identity by calling the company for which the person supposedly works.
Because our trusting nature often prevails over our common sense, we need to stay vigilant. By understanding the human tendencies that scammers try to exploit—and the red flags that signal a potential scam—you will be well positioned to protect yourself from this growing threat.