THE ART OF SOCIAL ENGINEERING
Social engineering is a term that encompasses a broad spectrum of malicious activity. Typically, the four most common online attack types include phishing, baiting, pretexting, and quid pro quo. Protecting your financial information online has been a growing concern. As the internet becomes part of our daily lives, the need to understand online safety has also grown. From online shopping, paying monthly bills, or buying our next meal, online fraud activity has also grown. Additionally, identity theft has grown.
WHAT IS SOCIAL ENGINEERING?
Social engineering is the art of manipulating people for a criminal to obtain confidential or personal information. Criminals use social engineering tactics because it is usually easier to exploit your natural inclination to trust than it is to discover ways to hack your software. Regardless of what you are doing online, someone on the other end is gathering information about you. So, be careful.
What do they do with this data? Specifically, once the fraudster is armed with a deeper knowledge of their targets, the cybercriminal contacts them and offers specific details about them or they sell the information.
POPULAR SOCIAL ENGINEERING SCHEMES
Phishing is the most common type of social engineering attack. Overall, phishing scams endeavor to accomplish three things. First, they are attempting to obtain personal information such as names, addresses, and Social Security Numbers. Next, they use misleading links that redirect users to suspicious websites. These sites will host phishing landing pages that attempt to obtain your personal information. Third, they may threaten you or use fear with a sense of urgency. Typically, emails or texts will be poorly crafted where the messages may contain spelling and grammar errors. For more information, visit PROTECTING YOURSELF FROM ONLINE CRIME | PHISHING, SMISHING, & VISHING.
Schemes are often found on sites offering a download of something like a video or some music. But the schemes are also found on social networking sites or websites you find through search results. Also, the scheme may show up on classified or auction sites, top-of-page link feeds through social media, or banner ads. Always, review the seller’s rating and selling history.
People who take the bait may be infected with malicious software that can generate any number of new exploits. Additionally, they may lose money, their credit card information, and their contacts. Additionally, they may lose money without receiving a purchased item.
Another form of social engineering is pretexting. Criminals will focus on creating a good pretext or a fabricated scenario. Their goal is to steal their victims’ personal information. In these types of attacks, the scammer usually says they need the information to confirm the victim’s identity. In actuality, they steal that data and use it to commit identity theft or stage secondary attacks.
QUID PRO QUO
Similar to baiting, quid pro quo attacks promise a benefit in exchange for information. Quid pro quo usually assumes the form of a service, whereas baiting usually takes the form of a good. For example, one of the most common types of quid pro quo attacks is when the criminal impersonates the U.S. Social Security Administration (SSA) or Federal Reserve. The fraudster contacts the victim, mentions that there is a problem, and asks to confirm their Social Security Number.
TIPS TO PROTECTING YOUR PERSONAL INFORMATION
SECURE YOUR ACCOUNTS
Ask for protection beyond passwords. Many account providers now offer additional ways for you to verify who you are before you conduct business on that site. Also, make your passwords long and strong. Passwords should be a combination of capital and lowercase letters with numbers and symbols. Additionally, if you create a new online account, also create a new and unique password. Separate passwords for every account helps to protect your information.
When available, set the privacy and security settings on websites to your comfort level for information sharing. Additionally, be careful with what you share. Despite which social media platform or sites you use, you may be sharing more than you realize.
Every post and photo may contain important data that a cybercriminal could use for social engineering. The more personal information someone can gather about you, the more you are at risk for an attack. Cybercriminals are efficient and thrive on gathering data on their targets. By combing through public social media profiles, they collect valuable data on a person’s interests, employment, activities, information about their family or friends, and another history.
For example, have you ever taken a personality test online? Did you really want to know what superhero or princess character your personality most resembled? Perhaps you filled out a questionnaire of goals or life accomplishments and posted it on your feed. Basically, have you given answers that may match your security questions or where someone could pretend that they were you?
IDENTIFYING FAKE PERSONAS
When in doubt, contact your friend directly. If someone spoofs an email that seems to be coming from someone you know, you can get a feel for an email that doesn’t feel right. The email may be written in a way that your friend would never write. Ask yourself if your friend is likely to send you links or weird emails.
If it’s a company, always double-check their contact information. Do not directly respond with any personal information and tell them that you will call or contact them later. Research the company, call them directly with a trusted number or email them with an email that you are familiar with. Also, check out reviews and do your research. Are there known scams? Pearl Hawaii will often contact you via phone or email. If you are in doubt, contact 808.737.4328 (73.PHFCU), email us at MyFamily@phfcu.com, or contact us through the secured messaging system on PHFCUOnline. Additionally, Pearl Hawaii will never ask for your Social Security Number, complete credit card, or full account number to identify you. Lastly, when receiving emails from anyone or while browsing, always inspect URLs before clicking.
WHAT DOES AN ATTACK LOOK LIKE?
EMAIL FROM A “FRIEND”
Often, these emails will contain a link or something to download or a request for information. Sometimes, these emails ask you to update your contact information or password. If a criminal manages to hack an email password, they have access to that person’s contact list. Unfortunately, because sometimes one password is in many places, the fraudster probably has access to the victim’s social network sites or other accounts. Sadly, the attack spreads to everyone the victim knows. Additionally, if the victim clicks on the link or downloads a file, something malicious can infect your device in order to gather further information.
The most common form of baiting includes a physical media to disperse malware. For example, attackers leave the bait, which is an infected flash drive, in a public area where the potential victim could frequent. The victim inserts the bait into their work or home computer, resulting in automatic malware installation on their system. Online forms of baiting consist of enticing ads that lead to malicious sites or that encourage users to download a malware-infected application.
RESPONSE TO A QUESTION YOU NEVER HAD
Criminals may pretend to be responding to your “request for help” from a company or product that you may or may not use. If you do not use the product or service, you will typically ignore the email, phone call, or message. If you show interest, return correspondence, or if you do happen to use the service, there is a good chance you will respond because you probably do want help.
For example, you receive an email, phone call, text, or message from a trusted financial institution where you happen to have an account… and you respond to their query. During their contact with you, eventually, they will ask further questions to see how your service was or attempt to fix a complaint.
The “representative” who is the criminal will need to “authenticate you” and ask for your personal information. For example, your social security number, mother’s maiden name, or current address. Also, they may have you log into their system or visit a specific website, which will have a virus waiting.
WHAT TO DO
- Keep personal information limited.
- Keep your privacy settings on.
- Practice safe browsing.
- Make sure your internet connection is secure. Use a secure VPN connection.
- Be careful what you download.
- Choose strong passwords.
- Make online purchases from secure and trusted sites.
- Be careful what you post online.
- Always be leery of who you meet online.
- Keep your antivirus program up to date.
- Always double-check the URL (website address) that you are visiting.
- Always check before clicking.
- If you see misspelled words or design issues, it could be phishing.
- If anyone asks for money via email or online, do not do it.
- To learn more about identity theft fraud safety visit ID Theft Center.
- If you think you’ve been a victim of identity theft, contact the Federal Trade Commission (FTC) at 877-IDTHEFT (438-4338) or visit the Federal Trade Commission’s site to learn more.
- If you believe your Social Security Number is being used fraudulently contact the Social Security Administration at (800) 772-1213.
- It’s a good idea to get a copy of your credit report each year from each credit-reporting agency. You can get a free credit report yearly from the Annual Credit Report website at annualcreditreport.com or by calling 1-877-322-8228 where you will go through a simple verification process over the phone. It is important that you obtain and review a copy of your credit report once a year to make sure your information is accurate.
- For financial literacy, check out Upgrade| our blog or our financial education page.
- To file a complaint about a suspected fraudulent email, contact the Federal Bureau of Investigation’s Internet Crime Complaint Center at www.ic3.gov.