Social engineering -- The science behind the scam: Internet Scambusters #968
Social engineering sounds scientific, but it's really a polite way of describing the techniques scammers use to fool their victims.
To beat the crooks, you need to understand their thinking and train yourself to be a more skeptical judge.
In this week's issue, we explain the most common forms of social engineering and provide tips from the experts on how to avoid getting snared.
Let's get started…
Teach Yourself to Beat Social Engineering Crooks
Behind every scam, there's a piece of social engineering -- the technique and tactics that con artists use to convince people to give information away or behave out of the ordinary.
They develop, or engineer, tricks that are calculated to deceive.
If it wasn't so evil (at least in this context), you could call social engineering a science. That's because being a good social engineer involves understanding what makes people tick. They know how to put pressure on you, spin a convincing hard luck story or strike fear in your heart. Pressure, trust, and fear are the scammers' frontline weapons.
When they succeed, they can get you to do whatever they want.
"Criminals use social engineering tactics because it is usually easier to exploit your natural inclination to trust than it is to discover ways to hack your software," says Internet security firm Webroot.
"The types of information these criminals are seeking can vary, but when individuals are targeted, the criminals are usually trying to trick you into giving them your passwords or bank information, or access your computer to secretly install malicious software that will give them access to your passwords and bank information as well as control over your computer.
If you want to beat them at their own game, you've got to be constantly on the alert. In a way, you have to "reverse engineer" the scammers' tactics. You have to know and deal with what makes you potentially vulnerable.
If you're too trusting or gullible, you have to recognize this and adopt an attitude of skepticism about all that you see and hear.
If you give way to pressure easily, you must set a personal rule for yourself to disconnect from whoever is pressuring you so you have time to review what's happening.
And if you're the type who is easily scared by intimidation, you need to call on help and support from friends or family to help steer you past the threats.
The non-profit Center for Cyber Safety and Education says we all need to do more to counter the scammers' techniques, by following four key actions:
- Make your starting point to question the intentions of anyone asking you for money or information. Seek and check proof of identity.
- Be on your guard when you get a call from anyone you don't know. You have no way of being sure who they are, even if their voice sounds familiar.
- Think before acting. Tell yourself to slow down in a situation where you're being asked for money or information. Ask someone else for their opinion on what you're being asked.
- Play your part in educating others about the risks. Tell your kids!
Look out, too, says the center, for red flags including paying with gift cards or money wire, or being told not to discuss your activities with anyone else.
Phishing -- tricking people into giving away information that can be used for identity theft -- is the most rampant form of social engineering. It comes in all shapes and sizes, from simple fake emails and websites to injecting fraudulent links, usually as ads, into search engines like Google.
If you want to learn more about phishing, check out this detailed exploration from the earlier-mentioned Webroot security site (you may have to provide an email address before you download the pdf): Types of Phishing Attacks You Need to Know to Stay Safe.
Webroot also offers the following tips to stall a social engineering attack:
- Think first, act later -- not the other way around.
- Get the facts. Thoroughly research any request for money or information.
- Don't let a link (e.g. in an email, on a website, or a text message) control where you land. Find the site you're interested in by yourself not via a link.
In fact, here at Scambusters we recommend using "don't click" as your default policy with links, unexpected attachments, and downloads -- allowing few if any exceptions.
- Foreign offers to buy, sell, or inform you of winnings/inheritances are fakes. It's a sweeping statement but nearly always true.
- Hit "delete" when you get messages asking for confidential information. Legitimate organizations simply don't make these requests.
- Use spam filters on email and set them to "high."
- Be suspicious… if you get an email offering help you didn't ask for or seeming to answer a question you never asked.
Sadly, social engineering is here to stay. But being aware of it and knowing how to counter it is a powerful starting point for beating the crooks. The more you learn, the less likely you are to get scammed.
Alert of the Week
Picking up on today's topic, here's a phishing scam that's as clever as it is simple.
Many Americans have credit card debt they're struggling to clear. So, when they get a call or message apparently from a state official saying a new law allows for the debt to lapse, they're immediately interested.
But, of course, for the debt to be wiped clear, the victim has to disclose the name, card number, and security code.
You can probably guess the rest. The call is from a scammer who immediately maxes out the card, leaving the hapless victim in a worse mess than they were in before.
If you're worried about your card debt, speak to the card issuer or contact the non-profit National Foundation for Credit Counseling for free guidance.
Time to close today, but we'll be back next week with another issue. See you then!