“Amateurs hack systems, professionals hack people.”
—Bruce Schneier – cryptographer, privacy specialist, and author
Social engineering is a new term to describe someone who uses psychological manipulation to get someone else to divulge confidential information or perform actions (e.g., click a link in an email or open a locked door). An older name for a social engineer is simply a con artist.
To get people to comply with their scam, social engineers hack people. They use tactics such as creating a sense of urgency, minimizing rules/consequences, building rapport, playing on the victim’s sympathy, and impersonating an authority figure or other trusted person.
Many people think, “I’d never fall for something like that!” The sad truth is that almost anyone could fall for a scam, under the right circumstances.
Social engineers have a firm grasp on human behavior and are patient enough to wait for the right victim and situation. Someone who is in a hurry and appears distracted often makes a perfect target—whether that’s in real life or online.
How to become a human firewall
In the digital world a firewall is a computer system designed to block unauthorized access to your network. In the real world, you need to become your own “firewall” to protect against social engineering scams.
Here are some actions you can take to avoid becoming a victim:
1. Slow down. Social engineers want you to react first and think later (or hopefully never think). Don’t fall for this tactic by pausing for a few moments and really reviewing the situation.
2. Maintain a healthy level of skepticism when you….
- Check your email. Scrutinize emails for phishing red flags and delete them if you have even a tiny bit of doubt. Scammers are beyond sending generic emails to large groups of people and instead they’re using personalized, custom phishing emails(a technique called “spear phishing”). For example, if you receive an email from a friend coworker asking for something unusual (e.g., sending confidential information to an outside email address or buying gift cards), be wary! Pick up the phone and call that person to make sure the request is real.
- Get a phone call. If someone you don’t know calls with an urgent request, it should set off your mental alarm bells. Don’t agree to any questions a caller asks, never give out personal or payment information, and file a complaint with the FCC online if you think a call is a scam.
3. Never plug an unknown USB into your computer—period. Social engineers have been known to dump flash drives containing viruses and other malware in parking lots or hallways, hoping a passerby will pick it up and plug it into their machines. If you find a flash drive in a public area and would like to return it to the owner, be safe and just deliver it to the nearest lost and found.
4. Don’t fall for “because.” Some Harvard research done way back in the 1970’s still holds up today. The study said that, when people make a request and include the word “because”—even if the reason is rather silly—people are more likely to do what’s asked of them. Don’t be wooed by the seeming reasonableness of a request that has a “because” and really think before you act (see #1 above).
5. Be wary of…
- Downloads. Just like with unexpected phone requests, unexpected email attachments can pose real dangers. If you don’t know the person who sent you the file (and be sure to double check the actual email address on the sender) and if you’re not expecting a file, don’t click to open it.
- Links. Links take you to websites that install drive-by downloads, or that actually download malware onto your computer.
- Friend requests. A friend request hoax just went around Facebook, but the fact is, this technique IS used for scams.
- Emails or phone calls from the government or other official-sounding agencies. Social engineers are hoping you fall for the authority of the name and do what they ask.
6. Lock it down. Fingerprint or passcode-protect your phone and other mobile devices—and actually keep those settings on. The same goes for your laptop, if you work on the go (and make sure you’re aware of any “shoulder surfers” who might be looking for you to reveal sensitive information they could use.)
7. Trust your gut feeling. Seriously, this isn’t a bad approach to steering clear of danger. If someone makes a request that causes you to feel uneasy, recognize that as a red flag and don’t do what they’re asking.