Hackers know that human users are the weakest link in any IT security system. That’s why social engineering attacks, which seek to trick people into handing over their valuable information voluntarily, are becoming more widespread and more sophisticated. If you use the Internet, you need to keep your knowledge of social engineering scams updated, so that you don’t fall for scammers’ tricks.
A healthy dose of suspicion can go a long way towards making sure you don’t fall victim to social engineering scams. Always be wary of emails and phone calls purporting to be from your bank, credit card company, the IRS or other institutions that may have a legitimate reason to need your private info. Scammers often rely on people’s psychological vulnerabilities to manipulate them into doing things they wouldn’t ordinarily do – such as hand out personal information. Here are some of the most common social engineering attacks, and what you can do to avoid falling for them.
Phishing and Spear Phishing
You probably already know what a phishing attack is – it’s when a scammer sends you an email that claims to come from your bank, a lawyer’s office, your credit card company, the IRS or some other official-sounding sender. Most often, this email asks you to follow a link to the organization’s website and login, to verify your credentials or solve some other problem with your account. Of course, the link doesn’t lead to your actual bank’s website but to a malicious mirror website that allows the scammer to steal your information and gain access to your accounts, or even to your identity.
Another common form of phishing attack preys on your concern for friends and family members. If a hacker gains access to a friend’s email or social media accounts, he or she may use it to send a message asking for help to friends and family members. The message will say that your friend or loved one desperately needs money – most often, the hacker, posing as your loved one, will claim to be stranded in a faraway town or foreign country, penniless and will beg you to wire money to them right away.
Spear phishing uses similar tactics, but it’s more directed. Scammers use spear phishing when they want to target someone they know has valuable inside information about an organization. Spear phishing scams may involve emails that look like they’re from a trusted source within an organization. If you think you’re being made the target of a spear phishing attack, pick up the phone and call the person from whom the email claims to be.
As long as you’re using your best Internet security practices and never let your guard down, you should be safe from phishing attacks. You should never click on links, download attachments or even open attachments from suspicious senders. In fact, it’s a good idea to avoid opening emails in your spam folder at all, unless you know who sent them. Your bank, the IRS or other organizations with which you do business will not contact you about your accounts via email; they’ll do so via snail mail, if necessary. If you receive an email claiming to notify you about problems with a financial account, legal problems, or anything else, you can do one of two things:
- Pick up the phone and call the organization yourself to correct the issue, if there is one; or
- Open a new browser window, type in the institution’s web address yourself, and log in to check your account status; this bypasses the scammer’s fake website and protects your info.
Vishing is very similar to phishing, but it’s over the phone rather than via email. Vishing takes advantage of your natural inclination to trust other people. Thanks to social media, a scammer can look up everything they need to know about a person in order to make him or herself seem like a legitimate contact.
Just as you should remain suspicious of emails asking for your account information or login credentials, you should be leery of anyone who calls you up asking for personal information about yourself or someone else. Common forms of this scam include calls purporting to be from your credit card company, your bank or the IRS; callers may also claim to be IT support staff from Microsoft, claiming to be investigating a malware issue that requires you to give them remote access to your desktop.
Do not give out your account information, personal data or login credentials to anyone who calls asking for them. Hang up on these calls. If you’re worried about your account status, call your bank, credit card company or other institution yourself to ask about the call you received. If you get a call claiming to be from the IRS, hang up and stay calm; the IRS will not call you about money you owe, at least not without sending you several bills in the mail first. If you think you owe the IRS, contact them yourself for help.
Social engineering attacks are getting more sophisticated, but you don’t have to be a victim. Stay on your toes, and don’t give out your personal information or login credentials, no matter who asks.