A big risk to businesses and individuals alike, social engineering involves exploiting bugs in our “human hardware.” In person, over the phone, or via e-mail, criminals draw on social engineering techniques to evoke feelings of fear, uncertainty, pressure, excitement, and more to get us to deviate from the way we would typically behave. Their goal—surprise, surprise—is to gain access to our sensitive information or to take advantage of us for financial gain.
Common human tendencies that social engineers exploit
1) The tendency to obey authority. People tend to comply with requests from those in authority. So a hacker might impersonate an authority figure to get you to do something. For example, he or she might pretend to be someone from a law enforcement agency and e-mail you claiming to have found illegal content on your computer. He or she would then advise you to click on a link to obtain additional details. Because you wouldn’t want to be accused of doing anything illegal, and because of the perceived authority of the sender, you may not question the legitimacy of the message. But clicking on the link could install malware on your machine.
2) The tendency to react too quickly to “urgent” requests. A sense of urgency tends to cause us to rush into making decisions that we wouldn’t usually make. The IRS scam is a great example of using urgency to trick people into taking ill-advised action. A con artist poses as an IRS representative and reports that, if the intended victim doesn’t immediately provide payment information for back taxes owed, a warrant will be issued for the person’s arrest. Who among us wouldn’t want to avoid this negative consequence? Unfortunately, targets of this scam often comply with the request, sending precious confidential information to criminals.
3) The tendency to act too quickly if we think we’ll miss out on something scarce. If we believe there isn’t enough of something good to go around, we humans often take ill-considered actions because we fear we’ll miss out on something we want. How would a criminal exploit this trait? He or she might send phishing e-mails purporting to come from Apple and claiming that, because of huge demand, only a limited number of the latest iPhone model are available. “If you click on a link in the message, you might be able to get one. But you have to act fast!” In reality, clicking on the link could install malware on your computer or lead you to a legitimate-looking website where you are asked to input personal information to order the phone. Now the hacker has your confidential information—perhaps even your credit card number and its expiration date.
4) The tendency to let down our guard because of a stranger’s likeable persona. Some scammers put on a very friendly act, doing all they can to appear likeable so that we feel comfortable dealing with them and more likely to let our defenses down. For example, a cybercriminal could pose as a computer technician, stop by your workplace, and strike up a pleasant conversation with the receptionist. Before you know it, the technician has talked him- or herself onto an office computer, ostensibly doing routine maintenance but really stealing whatever sensitive data he or she can find online.
5) The tendency to trust and help those who need something. Social engineers sometimes try to exploit a sense of trust in others, causing potential victims to feel guilty enough to provide the scammers what they need. These crimes usually result in bigger, immediate payoffs. For example, a scammer could pose as a friend traveling overseas and e-mail you that he or she has been mugged and needs money to return to the U.S. In a situation like this, you might trust that the sender is your actual friend and feel guilty if you don’t lend a hand, so you wire the money without doing enough to verify the sender’s identity.
Spotting an attack
Because our trusting nature often prevails over our common sense, we need to stay vigilant. Here are several tips for spotting and dealing with attackers who use social engineering:
- Be wary of any e-mail or phone call that comes with a heightened sense of urgency and that claims to require an immediate response.
- If you get an unsolicited message or call purporting to come from a familiar organization and asking for personal information, hang up and call the entity at a number you know is legitimate or type the organization’s URL directly into your browser and log in from there.
- Always verify the source of a phone call or message before fulfilling a request, clicking on a link, or downloading an attachment.
- If someone calls claiming to be from Microsoft or another tech company and requests access to your computer to fix a supposed problem, don’t fall for it. This is almost always a scam! If an individual arrives at your office with such a claim, ask for identification or verify his or her identity by calling the company for which the person supposedly works.
© 2019 Commonwealth Financial Network®