When it comes to cyber security, even the strongest information security systems are vulnerable when the people accessing those systems are tricked into giving away their passwords and login credentials.
“Social engineering” is the process by which criminals exploit our basic human urge to respond to urgent requests, be useful or help out a friend in need, to lure us into providing information that can be used to commit financial fraud.
Rather than using technical hacking techniques to conduct a cyber security attack, social engineers use manipulation and human psychology to spin a story that they hope we’ll believe.
Social engineering scams can take many forms, but a few common ones include:
- phishing or smishing– cyber criminals send you an email or text that attempts to trick you into volunteering information and/or to install malware on your computer by sending you infected links or attachments. For example, criminals are taking advantage of the pandemic to send phishing and texting scams capitalizing on fears and anxiety about COVID‑19.
- vishing or voicemail phishing – a fraudster calls you on the phone and tries to trick you into revealing sensitive information like your password, threatens you about phony debts that you owe, or attempts to trick you into paying a fee or debt with gift cards.
- email hacking – a criminal hacks into your email account and sends emails to your friends and family to trick them into clicking on links or sending money for bogus emergencies. When targeted at businesses, as in Business Email Compromise fraud, email hacking is just one of the tactics cyber criminals use to attempt to trick unsuspecting employees and executives.
- Baiting – a cyber criminal leaves a malware-infected portable drive in a public place with a tempting label like “confidential” that downloads infected software to your computer when you plug it in.
3 ways to spot social engineering techniques
- Using fear as a motivator. Sending threatening or intimidating emails, phone calls and texts are other techniques social engineers will use to scare you into acting on their demands for personal information or money.
- Suspicious emails or texts that include urgent requests for personal information is a major red flag that that someone is trying to trick you.
- Too-good-to-be-true offers or unusual requirements. If an online contact offers you free access to an app, game or program in exchange for login credentials, beware. Similarly, free offers online can often contain malicious code.
How to protect yourself
- Be suspicious of requests for your personal information. Remember, your bank will never send you an email, or call you on the phone, asking you to disclose personal information such as your password, credit or debit card number, or your mother’s maiden name. Learn how to spot a phishing scam.
- Install anti-virus, anti-spyware and Internet firewall tools purchased from trusted retailers or suppliers. Keep these programs enabled and continuously updated to protect your devices against malicious software.
- Be wary of downloading free apps, files, programs, software or screensavers – malicious code, like spyware (that secretly monitors what you do online) and keystroke loggers (that secretly track what you are typing) can be hidden within the downloaded file or app and used to access personal information, such as login credentials.
Sign up for the CBA’s free fraud prevention newsletter to learn about the latest scams.