Social engineering is one of the most common, and most effective, ways that attackers acquire your personal information to use in some nefarious way. Whether a person tricks you into downloading malware to take over your computer, or a keylogger to record what you type (including passwords), or they con you into giving personal information, these are all ways to get access to your financial records, email accounts or your information to use for stealing your identity.
It's sometimes difficult to know how to protect yourself from this real threat. When it comes to your personal and sensitive information, you should be just shy of paranoid. There are some measures you can take to ensure your accounts and personally identifiable information stay safe.
One of the most common attacks is through email. Phishing is an attempt to get your password to your email account, financial accounts or other websites. Many people use one password for all of their accounts, so if a thief gets ahold of one of your passwords, they may try using it for a variety of websites.
You can protect yourself by being careful to not click on links or download any attachments you receive through email from people you don't know or trust. Even if an email is from someone you know, double-check the URL or attachment and verify with the sender, if you're unsure.
Also, never provide personal or financial information through email. Many people try to appear look like legitimate professionals from, say, a banking website and ask for your information through the email, or ask you to click a link to verify your information. If you're suspicious at all, get in touch with your bank directly.
If you get a phone call from a number you don't recognize, play it safe by simply not answering. If it's important, the person will leave a voice message. When you follow up, be sure to contact the company someone claims they're from, and try to verify the person is actually who they say they are — you can never be too careful.
Flash Drives & DVDs
You've probably heard that you should never pet a dog you don't know, right? The same advice applies to media storage devices you may find in public. It's tempting to pick up that USB flash drive labeled "payroll" or "quarter 2 earnings," but you could be inviting a Trojan horse into your computer.
Baiting is a common way for people to harvest passwords and gain access to corporate networks. When in doubt, throw it out. There may be malware piggybacking on whatever document is on that mystery flash drive or DVD.
By now, the whole Nigerian Prince scam is well-known enough that people don't fall for it anymore, right? You would think so, but even with the countless stories of people losing thousands of dollars in the scam, people still fall for it. However, many social engineers are professionals at connecting with a lonely person, and emotions can be powerful. These con artists are good at playing the long con, so they will say everything a person wants to hear, and then often set up a plan to fly to see them. That's when they ask for the money. The emotions outweigh any logical reasoning.
Try to take a step back whenever you're pursing a relationship with someone and they ask for money. Ask yourself why they need the money from you if they're coming to see you. Consider meeting at a halfway point, and in public. If you're unsure at all, just don't open your wallet.
Social engineering is sort of like hacking a person's emotions, rather than the actual computer or website. It's not uncommon for a person who's out to get your password, confidential information about the company you work for, or any other information that's valuable to them, to turn to social media.
All a person has to do is go to LinkedIn to find your profile and see you work for XYZ company, then go to your Facebook page to learn a little more about you: family, friends, hobbies. Now a con artist can whip up a text or email and send it with a link or attachment to you that contains some sort of malware that can seriously ruin your day, and potentially the company you work for, or their clients.
When possible, make your social media accounts as private as possible. You can make your posts available for friends and family only. And you should be careful with any request sent to you through social media platforms, messages and emails.
Always, always, always check the URL of any website before you visit it. Social engineering hackers often carefully groom their targets so they can ensure a click of a link. Look for misspellings in the URL and check to make sure it's the right domain (.com, .org, etc.).
Social engineers often prey on those who are seeking something, such as love online, or a job. If a job posting seems too good to be true, it may be. Ensure that the listing is legitimate by going to the company's actual website, or go through steps to verify the person who posted the listing is legitimate.
Social engineering isn't limited to digital forms either. Be wary of individuals who ask you for sensitive information. Even if it seems harmless, the con artist could use seemingly innocuous information to gain access to your accounts. For example, your mother's maiden name, the name of your favorite pet, your best friend's name, or your son's birthday could all be security questions on a banking website that a person could use to try to get in and change your password, and start making wire transfers.
If you have the option of using two-step verification, use it. It's one of the best ways to protect your accounts.
Tips on Passwords
Some of the most common passwords people use today include 123456, qwerty, password and 111111. You need more than antivirus software for internet security, and that means using a hard-to-guess password. Also, be aware of passwords that have anything to do with pets, children, birthdays or addresses. The information you share on social media sites can be used by someone who wants access to your banking account, social sites or credit card accounts online. So, if your cat is named Fluffy, and your birthday is March 7, 1980, it's not the best idea to secure your accounts with fluffy3780.
Use a phrase or sentence as a password that's 12 to 16 characters long, if you can, and mix up the password with special characters, capitalized letters and numbers.
The most important takeaway from this is that you should always be on the lookout for someone trying to butter you up for information. Don't offer any personal information to someone seeking it. If you get a call, an email or an in-person request for information, verify. As a general rule, no one from any organization is going to ask for your password.