Hackers can breach your security defenses by using social engineering tactics. Social engineering is the use of deception or trickery by hackers to manipulate you into exposing sensitive information that may be used for nefarious purposes, e.g., to get access to an online account. Realize that social engineering schemes may expand several campaigns, and the results of those campaigns would be pieced together to decipher sensitive information about you.
It is easier for a hacker to use social engineering to acquire sensitive information than to directly hack into a system, especially if that system is regularly updated. Social engineering may be the first step in a hacker’s campaign to breach the security of an online resource.
Social engineering campaigns can run for years. The most critical about them is that malware protection programs are primarily uninvolved. Social engineering is aimed at people to trick them into giving up sensitive information. For example, people click on links they should not click in an email or on a website.
You need to be aware of the many ways social engineering can occur. That awareness will help protect you from exposing sensitive information that hackers could piece together to allow them to access your online resources.
Hackers might troll Facebook, LinkedIn, Instagram, and public sites to gather information about you. They might, for example, learn that you gained a new position at your company and forge a phishing email to trick you into providing sensitive information. The public information about you and information that might be gained from phishing campaigns may seem harmless. However, when pieced together, they might provide a clearer picture of you that hackers can use.
Social engineering usually occurs via a phishing email, as mentioned above. The email will seem urgent and look legitimate to persuade you to provide sensitive information, click on a malicious link, or open a malware attachment. However, there are clues that you should be aware of that might expose those types of phishing emails. Here are some things to look out for.
Who does the email seem to come from? Is it someone you know, and does the email make sense coming from that person? Is the email address truly from that person? Answering those and other questions can help you identify phishing emails that are part of a social engineering scheme.
Be diligent when reading and especially responding to emails. Take a closer look at things like the sender, wording, grammar, etc. Avoid clicking on links in the email as well.
A common tactic among sales professionals and hackers is presenting a sense of urgency. The idea here is to short-circuit your diligence by causing you to respond quickly to something perceived as urgent. You might get so caught up in the urgent nature of the email or message that you don’t consider the clues that the email is bogus or malicious.
Be suspicious if the emil, or phone call appears urgent. That may be a ploy to get you to take action without thinking.
Links in Emails
I’m sure you’ve heard it said many times. Do not click on links or open attachments in unexpected emails. That applies even to emails that appear to come from an organization that you regularly interact with, e.g., your bank. Instead of clicking the link, manually use your browser to go to the organization’s website and observe if the same urgent claims there.
The displayed link text may not point to what it says. Let me give you an example. Consider the following link: www.rpcr.com. The link seems to point to www.rpcr.com, but if you click on it, you go to www.williamrcunningham.com. There are two parts to a hyperlink: The display text, and the URL. The display text is what you see on the screen. However, the actual URL that link will take you could be something entirely different.
In many email clients (e.g., Outlook), hovering over the hyperlink will reveal the actual URL that you will be sent to if you click it. That is one way to see where a link will truly send you.
Remain diligent with your emails. Don’t senselessly respond to emails or provide requested information without considering the source, why the information is being requested, and more. Be critical of all unsolicited online messages and emails.
There are other types of phishing attacks than the general one described previously, i.e., you get an unsolicited email. Hackers may target specific individuals with a phishing campaign as part of a social engineering attack.
- Spear phishing – a targeted attach to specific individuals. These kinds of phishing attacks are especially dangerous because information obtained from previous social engineering campaigns or public information about you are used to tweak the email to look even more legitimate.
- Whaling – A targeted phishing attack on high level executives or the like. The thought here is that the executive will have access to more sensitive information than the average office worker.
Remain diligent while using online resources, answering emails, and browsing the web. Hackers want your information so they can access your stuff (or your company’s information). Don’t mindlessly click links and respond to seemingly urgent emails or messages. Be suspicious of all unsolicited emails.