I will need your username and password…
Do you remember when Tom Cruise, at the end of “Mission Impossible 2,” ripped off his fake face just after stealing the antidote from the villain, hence revealing to his enemies that he was actually Ethan Hunt and not a Scottish terrorist?
Or do you recall that time in “Star Wars Episode IV: A New Hope” when Luke Skywalker and Hans Solo dress up as Storm Troopers and made their way through the Death Star to rescue Princess Leia?
This trick of masking one’s identity to fool others into giving up private information is known as social engineering. This method is used mostly by criminals to convince others into giving them personal information.
Social engineering is when someone takes advantage of another person’s natural instinct to trust. When a trusted connection is made, personal information has no filter. The goal of a social engineer is to get anyone to believe that they are who they say they are. Once a victim is convinced, even if it is just for a single mouse-click, they have opened themselves up to possible information, financial and identity theft.
There is no question that social engineering is the most effective avenue for those with malicious intent: it is cheap and effective. Social engineers use many ways to distribute their attacks. They send out emails, Facebook messages, Tweets, texts and fake phone calls … all with statements of deception. They post fake listings on eBay, Craigslist and Amazon. Often they will craft some stressful story posing as a bank asking for a credit card number to confirm the reader’s identity and account information; or they will pose as a Computer Administrator who needs the reader’s username and password so they can “fix a problem” with the account. Giving any information to these scammers can be devastating.
These types of attacks are usually referred to as “phishing scams” and are sent in bulk to hundreds or thousands of people with hopes of a few responses. A more direct approach is called “spear phishing,” in which case the criminal singles out one victim and customizes an approach specifically for that individual. The criminal will go out and get as much public information as they can about the victim through Facebook, Twitter, blogs, job sites, LinkedIn profiles, Google and even the phone book.
The goal for these villains is to get as much information as possible so they separate themselves from suspicion during their interaction with the victim. The more authentic they seem, the more trust the victim gives.
These tricky social engineers often use emotion and theatrics as a distraction to keep the reader busy on something else rather than thinking, “Hey, who is this guy anyway?” They will use some funny YouTube clip or create some fake “Johnny Depp has died!” news article to lure the reader into thinking they want to learn more while giving up information in the process.
One of the most efficient distractions that social engineers use is “familiarity.” If a criminal can impersonate someone online that is already trusted by the victim (i.e. friend, co-worker, etc.), that person doesn’t have to trick them into trusting him or her—the criminal just has to play the part.
All of this leads to the question: “How do we protect ourselves?” Simple, just get rid of all your good nature and trust. Though this seems logical, it is unreasonable and unnecessary.
Here are some ways to help protect yourself against social engineers:
Don’t fuel the fire – Criminals want information. The more you freely post to the web, the bigger target you make yourself. Start assuming that anything put on the web is public and will be there forever.
Use security tools – Go explore Facebook’s security settings. This can help limit where information goes and who can see it. Most smart phones store location data in pictures you take, make sure you turn that off before you post them online. Apple and Android devices tell you before you download an app what permissions they require. Be cautious of the apps that can read your messages, scan your phonebook, or know your location.
Be aware and take the extra step – Know that these scams are everywhere. Don’t click links in emails. Instead, copy and paste them into a web browser. If you get a suspicious email claiming it is from a friend or family member, contact them and let them know about the issue. Don’t accept weird friend requests on Facebook. If you get a suspicious email from your bank, call them and ask if it is legitimate. Scammers make absurd claims — if it is too good to be true, it is.
The Internet and people on it are not 100 percent evil, but carelessness has its consequences.
As United States President Ronald Reagan once said: “Trust, but verify.”
For more information on National Cyber Security Awareness Month this October, visit http://www.security.isu.edu.
