Often, a scammer pretends to be someone they’re not. They might pose as an employee at your bank who’s calling to inform you that there’s been some unusual activity on your credit card. Or perhaps the scammer will pose as an IRS collections officer and ask you to pay money owed immediately or have your assets frozen.
An invented scenario, or pretext, is typically a key feature for the scammer in any social engineering effort. By posing as a figure of authority or trust and relating a story that seems plausible, they can overcome your natural skepticism and, again, exploit human behavior to get something of value.
Social engineering is used in a variety of scams. Vishing (“voice phishing”) uses social engineering over the phone to run scams, like the ones mentioned above. But it can also be used by criminals for even more elaborate scams—like getting employee log-in credentials or getting insider information about how a business works.
Phishing is an email scam. Spear phishing relies on highly-targeted emails that are specifically aimed at potential victims. And smishing uses text messages to, perhaps, lure its victims to fraudulent web sites or tricks them into sending credit card details over text.
During the holidays when there is a lot of ecommerce shopping happening, a scammer might replicate a shipping email, but the link to track your shipment will activate malware. Since chances are you have made an ecommerce purchase recently, you may be more likely to click on that link.
Baiting is another way that scammers use social engineering. Have you ever come across a USB flash drive or other piece of physical media in a parking lot or at a coffee shop that someone dropped? Now, should we stick something like a mysterious flash drive in our computer? Probably not.
But what if it was labeled “Salaries” or “Personal and Confidential”? Thanks to social engineering, a scammer knows some people just won’t be able to help themselves and they’ll actually plug that flash drive into their computer. And little does the victim know, the flash drive probably contains malware which will infect the host computer and any networks it connects to.
Anyone can be a victim of social engineering, too. Even executives. In fact, there’s even a term for social engineering that’s aimed at CEOs, CFOs and other high-profile employees: “Whaling.”
Many scams—online and offline—use social engineering to get past our defenses. Sometimes the offer of something that seems too good to be true or plays upon our human desire to help someone else in need can be difficult to resist.
The safest way to protect yourself from social engineering—in whatever form— is to never, under any circumstances, divulge personal information over the phone, email or text. And remember these three S’s: slow down, be sensible, be skeptical.
Well-known and trusted brands, like Visa, typically do not contact you over the phone or by email asking for your personal information. The bottom line: protect your information as if it were worth more than gold.
