How do social engineering attacks work?
Just like any manipulation tactic, social engineering works by capitalizing on a person's existing fears. Even the most cautious parties can fall victim to the right attack at the right time. Knowing some of the things scammers do to prepare for an attack can help you to better protect against one. It’s important to know that:
- Scammers will do research on you. You might be surprised how easy it is for people to find personal information about others online — including you. Whether it's through something as simple as a Google search or as complex as a database hack, if someone comes to you knowing things about you that you don’t expect, you’re more likely to let your guard down.
- Scammers will exploit your existing anxieties. During the height of the COVID-19 pandemic, there was a huge increase in social engineering scams. One of the most common ones was false contact tracing that would steal personal information via people’s phones. The reason this scam was so widespread was because people were already nervous about getting sick and wanted to trust entities offering them a way to protect themselves.
- Scammers will make things feel more time sensitive than they actually are. If someone contacts you saying that they have an opportunity for you to make a lot of money, but the opportunity is only available right now… look closer. There’s a high likelihood that a scam is at play.
What are the most common forms of social engineering?
A successful social engineering attack relies on two things: a template and a trigger. The template is the framework a scammer uses to manipulate, while the trigger is one or multiple factors making the fraud more likely to occur in the first place. For example, someone might use a phishing scam (template) to send fake IRS emails asking seniors for bank account information during tax season (trigger).
Triggers will always be situational and difficult to predict. Templates, however, can be studied to help protect you and your family from potential financial harm.
Here are the six most commonly faced modern social engineering attack templates:
Phishing
According to statistics from the FBI, they average more than 240,000 phishing reports equating to losses upwards of $50 million yearly. Phishing is the act of sending fraudulent emails pretending to be from a reputable source, attempting to entice users to share private data.
If you’ve ever received an email from someone claiming to be a member of a royal family in need of wire funds, then someone has attempted to phish you. Traditional phishing messages are most commonly unsophisticated and sent in bulk with the goal being to cast as wide a potential victim net as possible.
There is a subset of phishing — called spear phishing — that is slightly more sophisticated. Like the name implies, spear phishing takes a more targeted approach. Instead of sending messages to large and impersonal groups, spear phishing attacks focus on groups that are related but not close enough to notice the subtle hints that something is off. Examples would be people who work in the same department at a large company or volunteers in a church group.
Whaling
Whaling is another form of phishing unique enough to have earned its own moniker. Phishing focuses on large groups, spear phishing on focused groups, and whaling on targeted individuals.
These types of social engineering attacks are most likely to be faced by individuals in positions of power. CEOs, CFOs, and anyone with access to highly valuable business or finance data. Whaling emails address these individuals directly through personal information found online and attempt to trick them into doing things like sending payments or giving administrative access.
Smishing
Smishing is a term used to describe phishing tactics committed solely through text message. It most commonly occurs with scammers acquiring spoofed phone numbers and sending out mass messages featuring malicious links or directions. The same tactics applied to voice calls is referred to as vishing.
Baiting
Baiting is an easy trap to fall into because the scammers lure users into sharing sensitive information by offering something of value in return. These social engineering attacks can be as simple as a pop-up ad that offers free episodes of your favorite television show that, if clicked, infect your computer with data-scraping malware.
Pretexting
Pretexting involves using existing roles or titles to create believable scenarios for manipulation. This can include someone impersonating a member of law enforcement, a tax official, sweepstake organizer, or someone else who you’d be more likely to trust with personal information.
A famous example of this would be when intelligence consultant Edward Snowden told his colleagues that, as systems administrator, he needed their passwords to perform maintenance and then proceeded to acquire confidential NSA documents using that access.
BEC
Business Email Compromise (BEC) is a social engineering tactic that involves someone pretending to be a company executive with financial decision making powers. Impersonation and account compromise are the main types of BEC that companies face. Once a business account is compromised, scammers can trick employees into carrying out financial requests like wire transfers or bank detail updates.
What are common signs of a phishing attempt?
Because phishing is the most commonly faced type of social engineering attack, we wanted to point out a few of the biggest red flags found in phishing emails. Knowing these tells will help you be more aware when you’re being targeted so you can protect yourself accordingly.
- Someone familiar writing in an unfamiliar way. Let's say you get a lot of emails from your Aunt Julie. If, all of a sudden, Aunt Julie sends you an email that starts with "Dear Nephew" instead of her usual “Howdy”, don't let it slide. Someone writing to you in a way that feels slightly off or unfamiliar could be because their account has been compromised.
- Poor grammar or spelling. Nearly all phishing emails use incorrect grammar. It's due in most part to traditional phishing involving trying to message as many people as possible as quickly as possible. When a scammer's reach goes that wide, there isn't as much time for spell check.
- Email addresses that are slightly off. If you get an email that's requesting private information, take a look at who it's coming from. What you might have first read as "email@google.com" might actually be "email@googile.com." By using domain names that are close to trusted sources, scammers can often trick their victims into assuming trust.
- Suspicious attachments. Unless you're explicitly expecting an attachment, never open one.
- They ask you for something you normally wouldn’t share online. All the other signs come back to this one: if you’re being asked to give private information via email, SMS, or voice call… don’t.
What are some examples of real-life social engineering attacks?
Sometimes it's easier to comprehend risks by having real life context to understand them in. Here are a few notorious real-life social engineering incidents from the last decade:
Democratic Party Spear Phishing Attack
This is one of the most well known social engineering attacks of recent history. In 2016, targeted spear phishing messages led to the leak of a large number of private Democratic Party emails. These were the emails frequently referenced during the 2016 election season. What hackers did was send out a request for users to change their passwords due to unusual activity. Anyone who clicked the link then had their inboxes ransacked and information stolen.
Barbara Corcoran Phishing Scam
Celebrity television judge Barbara Corcoran from the business-funding show “Shark Tank” nearly fell victim to a phishing scam in early 2020. A scammer spoofed her assistant's email and sent a request to her accountant with a straightforward request for a real estate renewal payment upwards of $40,000. The only reason she didn't fall victim was because a follow-up email was sent to the proper address asking for clarification. Close call!
Toyota Business Email Compromise
In 2019, attackers contacted a finance executive at Toyota Boshoku Corporation, persuading them to change the recipient's bank account information in an upcoming wire transfer. This BEC incident ended up losing the company over 35 million dollars.
How can I protect myself against social engineering?
- It might feel daunting to discover the breadth of risk that comes from social engineering attacks. After all, you and your family’s financial security is important. While we won’t tell you not to worry, we do want to remind you that the reason you’re reading this webpage is because you want to take steps to protect yourself. Here’s how you can start:
- Recognize the signs. Luckily, you’re already doing a great job of this by reading this web page. Knowing where risks commonly lie makes it easier to avoid their potential impact.
- Ask for identification. If someone is asking you for confidential information, there’s no reason not to ask them for proper identification in turn. If they give you ID, you can check it against their organization’s directory for verification. If they ghost you after your request, you can rest assured that you've avoided a social engineering attack. There's no need to feel like you're being rude or intrusive when all you're doing is protecting yourself from financial fraud.
- Secure your devices. If you're ever unlucky enough to click on a malicious link, you can still protect yourself by making sure your personal devices have up-to-date security measures in place. Make sure you’ve considered the following:
- Antivirus software. Do you have anti-malware and antivirus software on your computer that can prevent malicious programs from downloading themselves? If not, we recommend taking that as a first, immediate step.
- Keep all your security software updated. If you've downloaded security software before, that's great! If you haven't updated it in a long time, however, take the time now to make sure things are up to date.
- Practice safe password use. Passwords are the digital keys to the kingdom, so treat them accordingly. Don't use the same password on all your different accounts. Use capital letters, symbols, and numbers to make your password less easily scraped. Change your passwords every few months for added security as well.
- Turn on two-factor authentication whenever it's available. It can be annoying to get used to at first, but don't let that stop you from taking this incredibly easy step toward better digital safety and fraud protection.
- Think before you click. By creating a false sense of urgency, attackers will try to convince you to click or open things in your email, text, or social inboxes that you shouldn't. Before you click on anything, always take a pause to look more closely at the message and make sure there aren't additional red flags.
- Request time to do research. If someone contacts you online requesting something, especially if it’s suspicious, don’t just give them what they want. If you’re inclined to trust their request, take some time to research what they’re asking for, who they are, and related details before taking any next steps. There’s never any harm in taking the “better safe than sorry” adage to heart.
Social engineering can take many forms, but by knowing the most common tricks, templates, and triggers, you can protect yourself and your loved one's from financial fraud.
The easiest way to stay safe is by paying attention and staying vigilant–by getting to the bottom of this page, you’ve already made a great start.
This article is for informational purposes only. It is not intended to serve as legal, financial, investment or tax advice or indicate that a specific DCU product or service is right for you. For specific advice about your unique circumstances, you may wish to consult a financial professional.
