Everything you need to know about social engineering attacks
March 14, 2022
Typically, we might assume that when a cybercriminal wants to take over a computer the first thing they’ll do is look for a software vulnerability on someone’s device. So, keeping your software up-to-date and having a powerful antivirus that helps protect your devices from viruses or malicious software is probably enough, right? Unfortunately, not. There is another kind of cyberthreat on the rise that no firewall or virus protection can help block: social engineering.
Social engineers have learned that sometimes the best – and often easier way – to achieve their goals is not via the device but the user. That means once you understand what social engineering is and how it works you can use that knowledge to defend yourself from falling victim to the most popular types of online social engineering attacks.
What is social engineering?
Social engineering is the art of tricking someone into giving up confidential information. By playing on people’s emotions and natural tendency to trust, social engineers are able to manipulate people into divulging sensitive information like passwords and bank account details. In addition, social engineering attacks are often done to convince people to click on and/or open and download malware-infected attachments.
Common techniques used by social engineers
In a social engineering attack, a perpetrator will first gather as much information as possible about their target person or company (if they’re after confidential company data). The more details they know about their target, the easier it will be to make contact and quickly gain trust. Attackers use various methods to collect the information they need. They might Google their target or spy on them on social networks.
Once these scammers know what Facebook groups a target has joined, what videos they watch on YouTube, what pictures they link to on Instagram, and what they pin on Pinterest, they can construct more credible stories to trick their targets.
If it’s business information they’re after, they’ll look at your LinkedIn contacts or your corporate website to learn about the structure of your company. This way, they can later slip into the role of a company employee or credible business contact when making contact.
The most common online social engineering attacks
Since social engineering attacks are quite convincing it’s important to know what they might look like to avoid becoming a victim. The below are some of the most common online social engineering attacks.
Phishing accounts for 90% of all data breaches. In this scenario the scammer poses as a real person or company and typically carries out their attack via email, chats, internet advertising or websites. For example, creating a fake websites that asks users to reset their password or enter sensitive information such as their credit card or phone number.
Spear phishing is a particularly sophisticated phishing variant aimed at the top management level of companies. The aim is to exploit data, internal information, and gain access to company tools. Here, fraudsters seek direct contact with the victim. Sometimes they pretend to be system administrators via e-mail, sometimes they pose as a colleague on Facebook. Sometimes the attackers even dare to make a direct phone call.
Baiting attacks are similar to phishing attacks but instead of offering to resolve a problem the victim is offered something attractive. For example, a target might be enticed by a free prize or a great deal, and in order to receive it they would be required to enter personal information useful to the scammer.
Quid pro quo
Quid pro quo is Latin for “this for that” and describes a social engineering ploy that lures victims with a specific promise if they reveal information in return. Quid pro quo attackers most often impersonate IT employees. For example, they might call all employees in a company and promise them a quick, uncomplicated solution. All the unsuspecting victims have to do is turn off their antivirus program, but instead of a solution, malware is then installed on their computers.
How to defend against social engineering attacks
The best defense against a social engineering is not technical – it’s you. A healthy dose of skepticism paired with paying more attention to what you are doing online can help you to avoid making mistakes. Here is some advice to help protect yourself from social engineering attacks:
- Don’t open emails, click links and/or download attachments from questionable
- Don’t believe in tempting offers. If you think a deal is too good to be true, it probably is.
- Use ulti-factor authentication. Along with strong, unique passwords it can
never hurt to add an extra layer of security to your online accounts.
- Make sure you are using an updated antivirus software. Keep informed about new types of malware that are circulating.
- Don’t answer to any requests for personal information or passwords.
- Reject any unsolicited advice or help. Social engineers can and will either request your help with information or offer to help you, often as posing as tech
As you can see, a little common sense can go a long way to not fall victims to online scammers. But stay vigilant! Social engineers are called con artists for a reason – they can make anyone believe almost anything.
Copyright © 2022 NortonLifeLock Inc. All rights reserved. NortonLifeLock, the NortonLifeLock Logo, the Checkmark Logo, Norton, LifeLock, and the LockMan Logo are trademarks or registered trademarks of NortonLifeLock Inc. or its affiliates in the United States and other countries. Firefox is a trademark of Mozilla Foundation. Android, Google Chrome, Google Play and the Google Play logo are trademarks of Google, LLC. Mac, iPhone, iPad, Apple and the Apple logo are trademarks of Apple Inc., registered in the U.S. and other countries. App Store is a service mark of Apple Inc. Alexa and all related logos are trademarks of Amazon.com, Inc. or its affiliates. Microsoft and the Window logo are trademarks of Microsoft Corporation in the U.S. and other countries. The Android robot is reproduced or modified from work created and shared by Google and used according to terms described in the Creative Commons 3.0 Attribution License. Other names may be trademarks of their respective owners.