Is someone ‘social engineering’ you right now?

How do you know if someone is using social engineering to manipulate you?

Phishing attacks are on the rise, which means you probably already have a scammer in your inbox, waiting for your click.

Here are some tips and tricks from social engineering experts to help you spot the scam.

Watch here:

Cultivating Trust

They seemed so generous — students from Cambridge University, volunteering to help refugees from wars in the Middle East.

“They had spent ages liking Cambridge Facebook pages and so they’ve established this trust,” said Kieren Lovell, the former head of CamCERT who is now head of TalTech CERT and a social engineering instructor at King’s and Pembroke College, University of Cambridge.

“It looked like a legitimate page that students have made,” he added.

But Lovell says the charity was fake, designed to collect money for malicious hackers, using real students to spread the word about their fake site.

“We were the ones that were sharing it. It was our own students and staff. Because, why not? Why wouldn’t you? It’s to help refugees,” Lovell said. “Playing the long game really pays off.”

The Long Game

Social engineers use the long game in dating scams and on LinkedIn, when you connect to a contact who’s spying on you or your company, like this fake account for a fake person, “Katie Jones.”

Her face was generated by artificial intelligence, reported by the Associated Press.

They may groom you for months before moving in.

“The long play is the one that will work,” Lovell said.

 

Fake social media social engineering profile
A fake LinkedIn account with an AI-generated profile picture, according to the Associated Press. Image: AP

The Short Game

But the short play works well, too.

The request from your boss’ email account, asking you to wire money on short notice.

The infamous “there’s a problem with your account” message, telling you it’s time to reset your password or verify your identity.

The fake resumes and job offers.

And even further, the sextortion messages that use just a little bit of real info, like one of your passwords from a data breach, to convince you they really do have your sensitive video or images.

“There is no compromise. There is no malware. But the fact that it’s got something, your password,” explained Lovell. “Now the passwords are probably old, but everyone reuses passwords.”

What Can You Do?

Learn some of their tricks.

“What they’re trying to do is get your emotions high. So, I’m happy because I’ve got a discount. I’m a bit worried because I’ve got a parking ticket or a speeding ticket,” said Jenny Radcliffe of Human Factor Security. “In that moment, the social engineer will give you a course of action.”

Then, they may try to take your money or your information, or download ransomware or malware, perhaps like a RAT.

Radcliffe has manipulated her way into big companies around the world to help them learn about social engineering attacks.

She offers these red flags of a social engineering attack in progress.

“Are they rushing you? Are they mentioning money? And do they need information from you or for you to do something for them?” she asked. “If those things come up, then we should really take a step back, verify if the person is genuine, if the request is genuine, and from thereon, make a decision as to what to do for the best.”

A sophisticated phishing email used in a security test. Image: KnowBe4

Fight the Urge to Click

Slow down and verify. The attackers want you to react without thinking or checking for signs of phishing or deception.

Think it through. Could this be an attacker trying to manipulate me, and if so, how?

Ask yourself if it’s worth it to click the link — or do what the social engineer wants from you — if the end result is a ransomware attack, bank account theft or other cyber attack.

Find another way to check the information and report the message if you think it’s a scam.

See your inbox and your phone as a path for an attackers, not just a way to communicate with friends, family and co-workers.

More Help

Radcliffe also encourages you to:

—Update your devices as soon as the updates comes in

—Use different passwords for every account

—Use strong passwords

—File them in a password manager

Start with your most important accounts.

“Do three, and then two or three next week. And the next three,” Radcliffe advised. “Just keep that up-to-date. It seems like a lot of trouble, but it’s a lot less trouble than being hacked.”

Guard Up

Lovell and Radcliffe also recommend you check your online footprint to see how social engineers might attack you and what information they might use against you.

“People don’t realize how common this is,” said Radcliffe.

“Don’t think it won’t be you,” said Lovell.

If you do get hit, don’t feel bad. And do report it as soon as possible, Lovell urged.

“If you do fall for a financial scam or if you click a link, the quicker you tell somebody to get it locked out, the less the damage,” Lovell said. “Most of the time, you can actually quash it if it’s within ten minutes, because they haven’t accessed the account.”

 

Main image: Silhouette of woman with laptop. Image: NoSystem Images/iStock



Leave a Reply