If you've ever watched the movies “Hackers,” “Sneakers” or “Now You See Me,” you've seen social engineering at work. In each movie, the main characters use psychological tactics to obtain sensitive information they can use to figure out a password or gain access to a building or computer. Another common example of social engineering is the Nigerian Prince scam, in which an attacker feeds into a person's inclination toward sympathy and maybe even creates a short-term version of Stockholm syndrome.
Social engineering can be performed using different techniques, including asking someone the right questions, impersonating an official who seems to legitimately need information or sending official-looking emails with attachments that have malicious programs designed to record passwords. Actual hacking through a computer's system has long been thought of as the only way to gain access to confidential information, but that's just not true. It's much easier to manipulate someone to get a password than it is to hack one's way through the tough antivirus security that's available today.
Attackers bank on people’s inherent curiosity and greed when they use this technique. It's a lot like the wooden horse the Greeks left at Troy, secretly filled with soldiers who infiltrated the city. Attackers include malware on flash drives or CDs and leave them about for an unwitting victim to pick up and insert into their computer or laptop. Once this happens, the attacker can access the computer as well as any other computers connected on its network.
Although antivirus software can help protect your account from malicious attacks, it can't shield you from phishing attempts. Attackers use phishing techniques like sending target links or attachments that are laced with keystroke recorders, also known as keyloggers. These recorders track what you type and send the information back to the attacker.
Some attackers know how to use exploits in various programs you generally have running. For example, Adobe Flash had a known vulnerability that allowed one attacker to install a backdoor through an Excel spreadsheet. It was the RSA SecurID Breach that ended up costing the company $66 million in recovery.
It's common to get a phone call from a machine to inform you of something such as unusual activity on your credit card – that's why phone phishing works well for some attackers. Typically, a machine calls and a recorded message plays about some urgent need to talk to you. The recording requests you call a toll-free number and enter information for verification. If you call in and enter information like PINs or passwords, they may be rejected, and you will be transferred to a person posing as a customer service representative. This person follows up with questions to get even more information such as an email address, home address or even a Social Security number.
When an unauthorized person gains access to a building without the proper ID or a key, it’s known as piggybacking. The attacker may use a distraction or convince a person who does have access that they forgot their ID or can't swipe their own card for whatever reason, appealing to the person's desire to help. Another example is when an attacker gains access to a restricted area simply by blending in with an authorized group as it enters.
The key to social engineering by way of pretexting is trust. People who use it to access your computer or private information employ a variety of tactics to gain your trust, and it's usually with sympathy, flattery and distraction. It can happen in person, over the phone or online.
Antivirus software is one way you can protect yourself against scammers and attackers who want to gain access to your employer's building, your computer or your financial accounts. The results of a successful social engineering attack could be identity theft, pilfered funds, a breach of usernames and passwords, or leaked personal information. Still, there are other ways you can protect yourself and your employer from con artists who use social tactics, and you can read more about this topic and find other information related to antivirus software here.