The term social engineering refers to types of cyber attack that exploit one of the more vulnerable aspects of an organization: its humans. An organization can implement the most sophisticated security software available, but hackers know that the easiest way in is sometimes through you.
That’s because some of the qualities that allow human beings to thrive in social situations – curiosity, trust, kindness, cooperation – are the same ones that allow criminals access to confidential information. In fact, a joint study completed by Stanford University Professor Jeff Hancock and the security firm Tessian found that 88% of data breach incidents are caused by mistakes employees make.
An interviewer on the Jimmy Kimmel show discovers that one way to get a stranger’s password is to just ask for it.
What are some examples of social engineering?
- Phishing
- Pretexting and impersonation. A criminal creates a fictional backstory that is used to manipulate someone into providing private information.
For example, in a recent scam that circulated the medical community, cybercrimnals used a NYS Doctor lookup site to find a physician’s name and license number. They then called the doctor with a spoofed number that displayed as NYS Office of Professions. The caller would inform the doctor that their license has been used in some illegal activity, and asked if the doctor would like to speak with the investigator on the case. The "investigator" provided false information about the case and ultimately asked for money to remove the illegal activity from the license.
- Baiting. Baiting is similar to phishing, but uses the promise of an item or good to entice victims. Baiting attacks may leverage the offer of free music or movie downloads to trick users into handing over their passwords.
How do you prevent falling victim to social engineering?
Don’t trust anyone!!
Jk. There are few things specific things you can do to stay vigilant:
- Never provide passwords, SSNs, financial information, personal/confidential information when you cannot be sure who you are talking to.
- Limit the personal information you share online.
- Use a trusted channel to verify the phone number or email address of an unusual message.
- Always be suspicious of unsolicited "urgent" requests.
- Don't click on links in email, instead navigate to a trusted webpage.
- Don't open unexpected attachments.
- If a company you do business with is requesting information, inform them that in order to protect yourself against identity theft, you will need to reinitiate contact with the company through a trusted channel.
- If you suspect your identity may have been stolen, report it immediately at www.identitytheft.gov and consider signing up for a credit monitoring service like LifeLock or Experian, and placing a fraud alert or credit freeze on your file.
Did you take the pop quiz?
Try our 10-question pop quiz on cybersecurity before Oct. 21, and we’ll contact winners on Oct. 28.