For those concerned about identity theft, it’s worth considering that some of the most effective techniques don’t rely on computer hacks or cutting-edge technology; instead, they are a more analog approach to the digital world.
To a sophisticated fraudster, it doesn’t take a social security number to hijack someone’s life, and in their quest for personal information, many would-be thieves are going back to basics. For the security-conscious, many people have taken steps to batten down the hatches on their computers and online accounts. However, social engineering relies on tricking people rather than machines, so different safeguards are required.
What Is It?
Social engineering is a process through which thieves gain access to confidential information by manipulating the person holding it. Thieves use several paths to get to the individual they’re targeting, but most commonly, they use the individual himself, his friends and family, or a customer service representative who works for a company with whom the target has an account.
Each channel requires different tactics, but each involves tricking an unwitting participant into sharing information that helps to further penetrate the victim’s life. Password hacking relies on brute force to test countless combinations, but this form of exploitation is more nuanced and can often be far easier and quicker for a seasoned con artist.
Scammers want to make money, so the goal is almost always accessing the victim’s finances, but while their paths are limitless, they can typically be broken into a few categories.
Pretexting is the process of gaining information useful in context to impersonate a legitimate person. Common examples include uncovering an email address, phone number, account number or a bill payment. With this information, thieves can reach out to a company and impersonate the victim in the hopes of gaining login credentials, or of being granted permission to reset the login credentials. This information might lead to a stored credit card, or it can be tested on other platforms, considering the tendency of the general public to re-use passwords.
Some thieves use the pretext information on the victim directly, posing as a representative of the company through which they hold an account. This data helps bolster legitimacy, and it encourages the victim to divulge more than he or she typically would with a stranger. Again, the desired goal is usually payment information.
Once a thief accesses an account, he can try these login credentials on other sites, such as email and social media accounts, to reach the victim’s contacts in a phishing scam. By sending messages impersonating the victim and sharing malicious links to an unsuspecting target from a trusted source, the cyberthief may install keystroke loggers that record every key the user presses and uncover login credentials. Alternatively, the thief may install a form of malware that takes the computer hostage, allowing access only after a fee is paid. These “ransomware” attacks can be extremely costly, even though the cyberthief never gains access to the victim’s bank account.
Baiting is a similar tactic; scammers install malicious software without targeting a specific victim. A media device such as a USB drive, CD or music player is left in the open for a victim to find and plug into a computer, thinking that by doing so, she can uncover the identity of the owner or to explore what’s inside. Doing so can immediately load malicious code that’s pre-installed on the device, infecting the finder’s computer as if she had clicked a link.
How to Protect Yourself
In a business setting, be sure to provide proper training on handling sensitive information. Establishing a known protocol creates a security-conscious environment in which employees are informed and accountable.
Don’t click unknown links or plug in unknown devices. Employ healthy skepticism, so if a friend sends a suspicious message that contains links, reach out to him through another channel to confirm the legitimacy without relying on the potentially compromised account.
Two-factor login verification requires a user to confirm his identity through multiple devices. This is most commonly done by online login and confirmation with a cellphone text message, and it decreases the likelihood that a thief can gain entry by forcing him to gain access to another area of the victim’s life.
Inquire with your bank, utility and telecom services about adding additional security to your account. While not mandatory, many companies offer the option of adding a PIN number or verbal password that adds another barrier between your information and the outside world.