Social Engineering in Cybersecurity
When it comes to security, social engineering refers to the emotional or psychological manipulation of individuals, getting them to perform desired tasks or give away valuable information. Why would a criminal fuss with learning complex techniques when they can convince you to give up your password through an email?
Virtually every single aspect of cybersecurity has a human element to it, so keeping aware of the savviest social engineering tricks is imperative to keeping things secure. Sometimes the beauty of these attacks is in their simplicity. The situation has only been worsened by the unrestricted office environment with BYOD (bring your own device) and remote work.
Phishing, Vishing, and More
Phishing is a form of cybercrime that uses email communication to trick you into divulging important and personally identifiable information. Vishing is the same criminal activity, but it uses voice communication to achieve its ends. Scammers can use spoofing techniques to alter caller ID to make fishy phone calls look more legitimate and in the heat of the moment, it is easy to give in to social pressure.
Here are common tricks to look out for:
Smishing: SMS phishing messages including suspicious links
You receive a text message that says, “Hey, is this really you in this photo??” along with a fishy looking link. Your first instinct may be to find out what photo they are talking about, but the link is probably taking you to a harmful website. Only click on links from numbers and sources you trust absolutely, and even then, exercise extreme caution.
Appealing for help
Be wary of strangers asking for help, especially if you have been identified as an employee of your company. When working in tech, people may approach you for computer help in real life. ITPro Edutainer Adam Gordon has experienced this himself. While in his logo-wear after work, a stranger asked him to pull up something on Adam’s own computer to help with a tech issue. While it may have been innocent, Adam decided to decline and provide different resources for help, rather than put his device at potential risk.
Impersonating an authority figure
Be on alert when receiving any in-bound phone calls from authority figures like banks or governmental agencies. Caller ID can be altered easily, meaning anyone can impersonate a legitimate entity. Avoid giving out information when receiving calls, and if information is requested of you, hang up and call directly into a trusted number for that organization to ensure you know who you’re speaking with.
Pressuring with deadlines
Often messages trying to gain access to your information will put a short timeline on their request. This is the same whether it is a phone call, email, or text message. The sender will state that you’ve got 24 hours to change your password, or your account will be permanently locked, hoping that the pressure of time will cause you to act rashly and reveal your current password. Remember to keep your cool, and double check the sources of any messages about sensitive information.