Social Engineering: Playing Online Defense
Long gone are the days when the most dangerous thing you could do on the internet was enter a chat room full of strangers from every corner of the internet, or download the latest Backstreet Boys song on LimeWire. A lot has happened in the forty-four years since Bob Kahn and Vincent Cerf invented the internet.1 Unfortunately, a large chunk of that action has been nefarious. Internet crime is on the rise.2 As the internet has evolved, so have the methods used by criminals to steal information, money, and peace of mind from everyday users of the world wide web. Today, we know that cybercrime is often accomplished through Social Engineering, and a good defense is the best offense you can have when conducting business or having fun on the internet.
What Is Social Engineering?
Social Engineering tactics trick people into sharing important, like private security information that can aid attackers in carrying out a cybercrime.3 For example, an appeal might be made to a person’s humanity when talking with a scammer over the phone in the following way:
- An attacker reaches out to the victim via phone saying there’s a problem with their account.
- The victim believes they are in danger because the attacker utilizes emotional language and urgency.
- The attacker tells the victim the issue can be resolved more quickly or easily if the victim shares their password or identifying information.
- Victim shares what is asked, allowing the attacker to access the account or private information.
- Chaos ensues, and all the victim did was try to be a “good person” or a “responsible” account holder.
Types of Social Engineering Attacks
While Phishing is a commonly employed attack, it’s a good idea to be familiar with all of the potential avenues criminals may employ when attempting to take advantage of their victims. The more you know about the different types of social engineering attacks,4 the easier it will be to play defense.
Phishing: Attackers will try to get you to click on a link in an email, SMS, or webpage which can act as a hook, line, and sinker for your online security, hence the name being similar to “fishing.” Criminals are quite literally “fishing” for victims.
Malware: Attackers will once again prey on your emotional instincts by implying that if you do not quickly download their software, you could face consequences. The only consequences are to your online health when you download malware that can allow criminals access to your most personal information.
Baiting: : Like bait on a hook, this tactic promises something more delicious than a worm—a prize, money, or accolade. All you must do? Share personal information with a would-be attacker. Typically, attackers will indicate that action must be taken quickly which lessens the chance that the victim will identify the request as a scam.
Quid-Pro Quo: Attackers love to play a part, that’s why we call them bad actors. When one of these criminals pretends to be someone who should be trusted to provide help to their victims, they’re employing the social engineering technique “quid-pro quo” but typically there are red flags—urgency, language that seems off, and threatening behavior to name a few. If you did not initiate a conversation with an IT specialist or account representative, extreme caution should be employed.
Tailgating: If you live or work in a secure building, keep an eye on anyone following you. Everyone entering a secure area should have their own badge or keycard for entry. As awkward as you may feel, it’s totally acceptable and important to tell security if someone you don’t recognize follows you in. Caution should be always exercised when dealing with someone in person, so ask for help from security if you’re concerned.
Vishing: It’s like Phishing but with voicemail. Get it? Voice-phishing? Even cybersecurity needs a little comic relief, although I’m sure the name wasn’t created with comedy in mind. When you receive a voicemail from someone who says they are, for example, the IRS or a tax collector you may have a vishing attempt in your inbox.
Spear Phishing: Sticking with the fishing analogy, Spear Phishing, like the outdoor sports/hunting equivalent is used to capture larger prey. Large companies can be victims of Spear Phishing when employees click on links or fall for criminal tricks opening their organization up for serious attack.
Water-Holing: Just like an animal out on the open range can be led to a water hole, humans can behave similarly online. Stick with me, here. Cyber criminals can set up websites that look and act like legitimate sites, but the sites host malware. Once a victim accesses such a site and interacts, BAM malware attacks. Always double check URLs for accuracy because these bad actors are sneaky and tricky.
Pretexting: Cybercriminals are bad actors, usually. However, some of them are trying to win Oscars each Spring. When these attackers utilize their acting skills (if we can call them skills), innocent people can become victims. This happens when an attacker pretends to be someone the victim really trusts like a family member or employee of a trusted company. Their conversations lead to the extraction of personal information from the victim that can be used against them.
Playing Defense Against Social Engineering
All this information could feel a little overwhelming, but the internet isn’t just this pit of danger you should avoid. On the contrary, the internet has given us a lot of gifts over the years—like connection and accessibility. You can protect yourself, first and foremost, by taking your time. When you receive a call, a text, an email, or any type of communication or request, take a moment to process. Assess whether the person you’re interacting with is a legitimate member of the team they claim to represent. Most financial institutions will not reach out to you with anything other than expected communications or alerts. If you receive word that something is wrong with an account that you do in fact regularly access, confirm that the number, email, or person is one that you are familiar with. You can always hang up, disconnect, delete, or stop the conversation. Utilize the numbers, emails, and websites that you know for a fact are legitimate and reach out to a representative to double check the accuracy of the communication you’re questioning.
Legitimate companies are happy to assist in the prevention of fraud. In fact, they are incredibly appreciative of any effort made to deter criminals from accessing your information and by proxy their information. Never allow a “representative” to bully you into providing information. Slow down, ask for proof, and remember that no one will ever ask you for your personal identifying information, passwords, or login information unless you have initiated a conversation or application where those things would be an expected part of the process. Everyone is aware of the danger and high cost associated with cybercrime, so questions will not be out of the ordinary for a legitimate associate.
When possible, it’s also a great idea to utilize multi-factor authentication for any account where available. The more steps a criminal must take to access your account, the better. Another great way to keep your hardware safe is to install monitoring software or regularly check for viruses using an anti-virus website. While playing defense can sound a little intimidating, have courage. You are your own best protector online, and you can arm yourself with knowledge which, in most situations including when facing social engineering, is a powerful thing.
Attackers prey on emotion, and unfortunately, it’s extremely effective. It’s estimated that cybercrime will cost around $10.5 Trillion globally in 2025.2 That is an incredible amount of money, and no one wants to be added to the number of people who are scammed each year. Yet, each year people fall victim. To be clear, while people like my late grandmother who wasn’t as familiar with technology are quite often the target victim, it isn’t just people with less experience who can be the prey of cybercriminals. No matter how savvy you are, playing defense is in your best interest when venturing online, into your email, or when opening a text or answering a phone call.
Sources:
1. Hogeback, Jonathan Who Invented the Internet Retrieved from: https://www.britannica.com/story/who-invented-the-internet
2. Mehdi Punjwani and Sierra Campbell, USA Today Cybersecurity statistics in 2024 Retrieved from: https://www.britannica.com/story/who-invented-the-internet
3. IBM What is social engineering? Retrieved from: https://www.ibm.com/topics/social-engineering
4. Terranova Security (2023, Apr 14). 9 Examples of Social Engineering Attacks Retrieved from: https://terranovasecurity.com/examples-of-social-engineering-attacks/