Last Updated: August 25, 2020
In an increasingly technological era, running into scams is almost inevitable. Fraudulent emails, for example, can be creatively deceptive, as their main purpose is to persuade you into believing they are legitimate. Because they are so effective, each and every type of social engineering attack can be sufficiently damaging to its victims. In fact, social engineering exists as a cause of successful cyber attacks and data breaches across the world.
What Is Social Engineering?
Essentially, social engineers wield the basic tools of human psychology to get what they want. By exploiting a human’s natural propensity to feel and react automatically to authority and urgency, such as a fraudulent email from the CEO of a company, social engineers can quickly and almost effortlessly obtain the information they desire. It is not uncommon to act on emotion without properly reviewing its source. However, social engineers don’t need to sit behind a computer screen to attack. Some launch their attacks in person, such as by impersonating an IT professional.
Social engineering attacks are affecting individuals at an alarming rate. On a 12% rise from 2016, the number of people affected by identity fraud totaled a concerning 16.7 million in 2017. Though there’s a perceived common knowledge regarding security in this digital age, even tech professionals could fall victim to social engineering attacks. Since the essence of social engineering preys on human error, it is reasonable to assume that about anybody could be susceptible to its devices.
Despite the prevalence of social engineering in this technological era, there are still effective ways to combat such attacks. One of the most important things you can do is thoroughly read and comprehend the message you’re receiving, whether that be in an email, a phone call, a letter, or an SMS message. Often times a minuscule typo or a suspicious email address — from “[email protected]” instead of “@gmail.com”, for example — is a dead giveaway.
What Is a Social Engineering Attack?
Robert Cialdini, a psychology and marketing professor at Arizona State University, theorized six key principles of influence. These principles correlate well with what perpetrators of social engineering implement in order to maximize the amount of information they receive. In general, social engineering attacks will leverage one of these broad principles to influence their tactics:
- Reciprocity — people tend to feel a certain obligation to repay what is owed. Social engineers first offer a favor and then construct a compromise.
- Commitment and Consistency — consistency is something that a person recognizes and may even desire in their life. Thus, when people agree to do something they feel obligated to follow through. For a social engineer, holding their victim accountable for their commitments is key.
- Social Proof — people can naturally be influenced by other people, especially in large groups. Therefore, if “everybody” is doing something, people may be more inclined to join in.
- Authority — when serving under the power of an official, people tend to follow commands willingly. Likewise, when a person is emailed a letter titled “IRS,” a sense of urgency and necessity arises due to the status of the sender.
- Liking — when somebody likes someone, they can then usually be easily influenced by that person. This is one of the reasons why celebrity endorsements are consistently used. Similarly, receiving a Facebook friend request from an attractive individual may prompt more people to accept, despite the potential repercussions.
- Scarcity — when people hear the word “scarcity” they tend to think of synonyms like “rarity.” For example, common brands often do “limited time only” sales. These kinds of sales may drive people to buy products because they perceive that this is their only opportunity to do so. Scam emails and calls, in fact, can include those exact words: “limited time only.” This initiative, like others, can prompt people to open the email without hesitation.
Examples of Social Engineering Attacks
Though not exhaustive, below are some common forms of social engineering attacks:
Probably the most well-known social engineering attack, phishing uses email as its main medium. As noted above, these fraudulent emails manipulate readers into believing that the information they contain and the response they require is of the utmost importance. Unfortunately, the target of a phishing scam can be just about anybody with an email.
This is essentially the same as phishing, except that these attacks occur over the telephone.
This is essentially the same as phishing and vishing, but the attacks are sent via text or SMS.
As opposed to the wide net cast by standard phishing, vishing, and smishing schemes, spear phishers seek out specific individuals. The whole process requires a significant amount of time in order to accurately assess the target’s behavioral habits, personal characteristics, and general contacts.
A fairly old method of social engineering, water holing attaches viruses to public websites. This kind of attack is generally more targeted than the others, as perpetrators tend to review a person’s web history before attacking.
A relatively easy scheme, tailgating involves skipping any authorization checkpoint by following somebody else. In order to gain access to a restricted building, a social engineer would wait for somebody else to use their credentials to open the door and then follow closely behind them. This shows how social engineering is not just a technological pursuit; rather the whole act can be done in person alone.
The usual form of baiting involves a seemingly harmless looking software update. With a desire to protect their computer, people often click on this update to find that it’s a scam.
Quid Pro Quo
The classic “something for something” is a considerably well-known scheme. In regards to social engineering, a quid pro quo exchange is used to manipulate a person’s desire to reciprocate favors.
Stealing an identity before gathering any actual information is essentially the art of pretexting. By pretending to be somebody else, social engineers can then gather the information they desire. This ploy is frequently used for financial or political gains.
The art of impersonation can generally be involved in any of the above attacks, including but not limited to: phishing, vishing, smishing and pretexting. Social engineers often pretend to be someone their victim knows in order to gain their immediate trust.
Preventing Social Engineering Attacks
Everybody can do their part to prevent social engineering attacks, and they should; all it takes is one instance of human error to compromise an entire network. Common prevention tips include:
- Slow down — the first step to prevent any sort of attack is essentially just to slow down and think/analyze what you are reading or hearing. Since social engineers seek to manipulate your behavior with alarming words such as “urgent,” it is crucial to recognize what is urgent before acting on that high-pressure feeling.
- Research — verify the identity of the person or entity contacting you. These verifications can usually be made through any search engine, phone directory, or even a related associate.
- Anti-virus software — regularly installing legitimate anti-virus software can prove extremely beneficial. This kind of software can inform its users of any potential dangers posed by visiting a certain website or downloading malicious files.
- Multi-factor authentic — multi-factor authentication is another effective method of diminishing the success of social engineering. Two or more steps should be involved in the process of activating an account, such as using a one time code from Google Authenticator or 1Password (not SMS)
- Knowing how to spot authenticity — opening emails from suspicious sources is one of the easiest ways to fall victim to social engineering attacks. If receiving an email from a friend or coworker that isn’t attached to their regular email, shoot them a quick text to clarify. Social engineers will use just about any form of authority in order to convince their victims of their legitimacy, including posing as government agencies such as the IRS.
- In 2019, the IRS began sending out information regarding cryptocurrency taxes. Enclosed in three different letters, 6173, 6174 and 6174-A, the IRS has begun cracking down on tax evasion. However, these letters came without any notice from the IRS; therefore, leaving potential weak spots for social engineers to exploit. Upon receiving such letters it is important to know how to read and understand them in order to verify their authenticity. The IRS has a specific logo, so make sure that it is included alongside a correct address. Additionally, there are three dates to pay attention to: the tax year, the notice date, and the “proposed amount due by date.”
- Knowing how to accurately assess the amount owed in crypto taxes can prove extremely beneficial in preventing any such attacks as well.
These prevention tips can sufficiently help to curtail the success of social engineering tactics, ultimately keeping you and those around you safe.
Disclaimer: this post is informational only and is not intended as tax advice. For tax advice, please consult a tax professional.