If you watch a lot of movies, you might picture a “hacker” as a skinny kid in a hoodie, slouching over a laptop and hammering furiously at a keyboard, trying to get past the robust defenses of a major organization. But hackers also come in much subtler, harder to identify forms.
One common strategy is social engineering, allowing even amateurs to potentially gain access to entire systems by manipulating the behavior of the people around them. But how exactly does this work? And how can you protect yourself against it?
What Is Social Engineering?
What is social engineering, exactly? According to blog.Box.com, social engineering is “a type of hacking that has almost nothing to do with technical security but everything to do with convincing people to divulge sensitive information or otherwise comply with an attacker’s requests. This situation might involve downloading a link with malware, sending a confidential document, giving out one’s social security number, or initiating a payment. A social engineering hack can target both personal information and business data.”
In other words, social engineering is nothing like the hacking you usually see in TV shows and movies. There’s no super genius hiding in a practical data center, typing aggressively on a keyboard and trying to break through a virtual firewall. Instead, this is a friendly face who walks into your business and starts making small talk, or a friendly voice over the phone who lulls you into a false sense of security with a handful of compliments and jokes.
These master manipulators have spent a lot of time and effort practicing how to lower a target’s defenses. In a matter of minutes, they can have you convinced that they’re a professional who works for a business you know and trust. From there, it’s trivially easy for them to get your password or recruit you to help them achieve their goals.
Examples of Social Engineering
It’s easiest to understand social engineering with a couple of examples.
Let’s say someone calls you on the phone and they reveal themselves to be a representative of Google. You use Google mail for your work email, and they inform you that your account has been compromised. In your initial wave of panic, you may neglect to verify that this person is from Google or verify that your account has been breached in any meaningful way.
At this point, the representative on the other end of the phone may pledge to help you restore your account to normal. At this point, all they need is for you to verify your password so they can gain access and fix it all up. You hand over your password, and now this false representative is able to access your account, and potentially many of your accounts if you use the same password for all of them.
This isn’t the only way that social engineering can unfold. Someone wearing a high vis jacket and holding a clipboard could walk right into your data center or warehouse and do almost anything they want – that is, unless someone proactively stops them.
Why Social Engineering Is So Useful
Social engineering is useful for hackers for a variety of reasons:
- No technical skill required. You don’t need to know how to be a programmer, nor do you need any background in cybersecurity to initiate a social engineering attack. All you need is a bit of confidence and knowledge of human weaknesses.
- Unlimited targets. Anyone can be the target of social engineering. The largest corporations, with enormous budgets, can spend a practically unlimited amount of money on robust cybersecurity defenses. But even these lucrative targets are vulnerable, since all it takes is one employee to fall for a social engineering scam.
- Human susceptibility. Most of us are susceptible to social engineering, whether we want to admit it or not. We’re naturally trusting and biased creatures that are relatively easy to exploit. And in most cases, it’s much easier to get past a human than a firewall or VPN.
How to Guard Against Social Engineering
So what steps can you take to guard against social engineering?
- Take your time. Don’t make any rash or impulsive decisions. Social engineers prey on people’s natural tendencies to be trusting and fast. It’s much better to take your time, evaluate the situation, and only reveal information when necessary.
- Do your research. Do some background research. If you get a suspicious email or a suspicious phone call, search for some of the keywords used in the incoming messages; you’ll likely see a wave of people online who got similar messages and figured out they were a scheme.
- Identify trusted and untrusted sources. Make sure to identify trusted and untrusted sources – and never open files or comply with their requests of untrusted sources.
- Beware of links, attachments, and downloads. Links, attachments, and downloads are some of the easiest ways to get malware on a computer. Never click a suspicious link, save a suspicious attachment, or initiate a download you don’t fully trust.
- Always ask for verification. Don’t take a person’s word at face value. Always ask for verification.
- Never voluntarily give away personal information. Never give away your password or other personal information. Most reputable tech companies will never ask you for your password or other login credentials.
- Delete information and limit accessibility. You can also limit an organization’s vulnerability to social engineering by limiting each person’s access. If a person falls for a social engineering trick, the social engineer won’t gain access to all your data; they’ll only gain access to a small fraction of it.
- Train and educate your employees. Don’t assume that your employees are all going to know, understand, and follow these strategies. Train and educate them so they’re prepared.
It’s tough to develop perfect defenses against social engineering because social engineering can take so many different forms. However, if you’re thoughtful and proactive about your social engineering defenses, you should be able to thwart the majority of criminal efforts against you.