In our recent survey asking what you’d like to see covered in this column, many agents asked us to discuss social engineering. Social engineering is a catch-all term for different types of cybercrime and is based on the natural human inclination to trust other people. There are several types of social engineering.
Phishing. Phishing is one of the most common social engineering types and is a “wide net” attack involving bulk email and text message campaigns. Typically, cybercriminals try to create a sense of urgency or fear into victims, tricking them into revealing sensitive information, clicking on links to malicious websites, or opening attachments that contain malware. For instance, phishing emails could provide phony alerts to recipients that their online account has been compromised, requiring a password change. A link is provided to a fraudulent website that looks identical to the legitimate one, prompting the victim to enter their user ID and password that are captured by the attacker.
Baiting. Like phishing, baiting is not targeted to specific victims. Baiting relies on human curiosity or even greed and typically happens when a physical device, such as a flash drive, is left lying around. Sometimes the “bait” will have official-looking logos or enticing phrases such as “company payroll.” A victim picks it up and inserts it into a work or home computer, only to end up with malware on their personal or professional device. Online forms of baiting consist of “pharming” attacks, which entice victims to visit malicious sites where they are infected with malware.
Scareware. Scareware is another wide-net attack and is similar to phishing in that it preys on trust and fear. A common scareware example is a popup window appearing in a web browser displaying text such as, “Your computer may be infected!” directing the victim to install a malware program or visit a malicious website.
Spear phishing. Spear phishing is a targeted version of the phishing scam, whereby an attacker chooses specific individuals or enterprises. Think of spear phishing like a long con. A criminal will pick their mark well in advance of carrying out any hacking. Once a victim is identified, the criminal will monitor that individual’s behavior and routines online to determine the best way to target their personal or professional accounts. They then tailor their phishing messages to make their attack less conspicuous. For instance, a spear phishing attack might appear to come from a trusted organization a company does business with and target only a few employees, using personal information that tricks the victim into thinking it is legitimate.
Pretexting. Like spear phishing, pretexting takes time to set up. An attacker usually starts by establishing trust with their victim by impersonating coworkers, vendors, bank personnel, tax officials, or other trusted individuals. The pretexter asks questions of the victim that obtain sensitive information, such as asking to “confirm” birthdates, Social Security numbers, account numbers, or even information related to a company’s physical or IT security controls.
Social engineering is a real threat we all face online. But if you practice good cyber hygiene and follow the tips provided in this column each month, you’ll know what to watch out for. The first defense against cybercrime is education, and that’s where the Acuity Cyber Coaches come in!