What You Need to Know About Social Engineering to Protect Your Passwords and Virtual Identity
The term 'social engineering' was born way back in the late 19th century, and it was invented by European industrialists who had some issues with disgruntled employees. Their idea was that just as regular engineers can use expertise to solve problems related to machines, social engineers can use their knowledge to solve problems related to the workforce. As with so many other things, the notion of social engineering has changed rather a lot over the last century or so.
Nowadays, social engineering, especially in the context of information security, is, in simple terms, a powerful tool that lets cybercriminals carry out successful attacks without using any technical skills.
Table of Contents
The misconceptions around “hacking”
Many people wrongly assume that to carry out an online attack, you need to "hack" into something. That's because many people don't really understand what a "hack" is. Hacking is the act of overcoming the defenses of a computer system using your technical expertise. If you don't have technical expertise, you can't hack into things. It's as simple as that.
Unfortunately, in some cases, hacking isn't required. If you have the password that lets you unlock a phone or a computer, for example, you don't need to reverse engineer the operating system and find a never-before-discovered bug that will let you in. In such cases, all you need to know is where to enter the password.
Hacking the human, not the machine
With all that said, you might be fooled into thinking that social engineering is for the less sophisticated wannabe crooks. That, you'll find, is not the case.
Some might argue that referring to scammers as "social engineers" is just a way of sounding pompous, but there's a lot more to it than that. Good social engineers might not know how to fool your anti-virus system, but they do know how to fool you.
They are not regular con artists. They know a lot about the psychology of their victims, and they're very good at predicting how a human being is going to react to a particular situation. Because they have such a thorough understanding of how the human brain is wired up, they can put you in a position that will make you do certain things that you normally wouldn't. Suddenly, you can see why we call them social engineers – just like a regular engineer can manipulate a machine to work in a particular manner, a social engineer can manipulate you into giving your password away or sending money to the wrong address.
What can we do about it?
Sadly, the answer to this question is "Not much." There are people who have dedicated their careers to studying the social engineering tricks used by the crooks, and thanks to their research, we now know that usually, a social engineering attack puts you in a situation where you must act quickly or face terrible consequences. Unfortunately, despite their hard work, the experts can do nothing to predict what sort of scheme the criminals are going to pull off next.
The simple fact of the matter is that social engineering, like everything else related to cybercrime, never sits still. Classic phishing attacks are an everyday occurrence and you are probably used to them already. There are, however, countless other, more sophisticated tricks, and although some have been more effective than others, it's safe to say that the carefully thought out campaigns have left quite a mark. Examples?
Not more than a couple of months ago, we saw crooks using databases of leaked passwords to scare users into thinking that they have fallen victims to a sophisticated malware campaign that not only steals their password but also silently turns on their web camera at some very inappropriate times. Of course, this was all a lie, but the presence of a real password (albeit an old one) made it all the more believable, and in the end, the crooks made off with about half a million dollars. If they had bothered to look for passwords that weren't so old, they would have probably earned even more bitcoins.
This, of course, is just one example of an attack based on social engineering. There are many others and listing them all in one single place is just not possible. Predicting what the next trend will be is even more far-fetched which means that it's up to you to keep your guard up.
Social engineering is often classified as a confidence trick, and confidence tricks rely on gaining your trust and then abusing it. It's far easier said than done, but we can't emphasize enough on how important it is not to blindly trust people on the internet. This is pretty much the only thing that can thwart the social engineering attacks that will inevitably target you.
