Social engineering is the art of manipulating people so they give up confidential information. The types of information these criminals are seeking can vary, but when individuals are targeted the criminals are usually trying to trick you into giving them your passwords or bank information or access your computer to secretly install malicious software that will give them access to your passwords and bank information as well as giving them control over your computer.

What Does a Social Engineering Attack Look Like?

• Email from a friend – Taking advantage of your trust and curiosity. These messages will contain a link or a download.
• Email from another trusted source – Using a compelling story or pretext.
These messages may:
-Urgently ask for your help
-Use phishing attempts with a legitimate-seeming background.
-Ask you to donate to their charitable fundraiser or some other cause.
-Present a problem that requires you to “verify” your information by clicking on the displayed link
and providing information in their form

• notify you that you’re a ’winner.’
• Pose like a boss or coworker
• Baiting scenarios
• Response to a question you never had

Common Attack Techniques:

• Pretexting
• Phishing
• Spear phishing
• Scareware
• Baiting

Pretexting – an attacker obtains information through a series of cleverly crafted lies. The scam is often initiated by a perpetrator pretending to need sensitive information from a victim so as to perform a critical task.

• Fraudulent phone calls
• Used to extract information
• Also used to set up other attacks such as facility entry or phishing

Phishing – the process of crafting emails that appear to be from a trusted source and typically invite the recipient to either supply confidential information or click on a malicious link or attachment.

Tips for Identifying Phishing Attempts

• The email asks you to update account information
• There are unfamiliar layouts/designs with no verification images
• The email provides unfamiliar hyperlinks

Spear phishing – This is a more targeted version of the phishing scam whereby an attacker chooses specific individuals or enterprises. They then tailor their messages based on characteristics, job positions, and contacts belonging to their victims to make their attack less conspicuous.

Scareware – involves victims being bombarded with false alarms and fictitious threats. Users are deceived to think their system is infected with malware, prompting them to install software that has no real benefit or is malware itself.

Baiting attacks – use a false promise to pique a victim’s greed or curiosity. They lure users into a trap that steals their personal information or inflicts their systems with malware.

How to Protect Yourself:

• Delete any request for financial information or passwords: If you get asked to reply to a message with personal information, it’s a scam.
• Set your spam filters to high.
• Reject requests for help or offers of help – Legitimate companies and organizations do not contact you to provide help. If you did not specifically request assistance from the sender, consider any offer to ’help’ restore credit scores, refinance a home, answer your question.
• Secure your computing devices by installing anti-virus software, firewalls, email filters and keep them up-to-date.
• Don’t open emails and attachments from suspicious sources.
• Use multi-factor authentication.
• Be wary of tempting offers.