Social engineering may be a term you’ve heard of – much like with phishing, it’s a method used by hackers and other bad actors. It's essentially a form of manipulation used to get you to reveal sensitive information about yourself that they can then use for malicious purposes. However, while phishing is usually a digital method that often relies on emails or messages intended to steal personal data, social engineering is a more broad term that can include a variety of different techniques.
Social engineering can encompass different types of manipulation to get you to give out personal details and there are a variety of tactics a bad actor might employ. Pretexting, baiting, tailgating or quid pro quo are all example terms of broader social engineering. The goal of social engineering is to get the target to do what the attacker wants, whether that’s giving out additional information or physical access to a location.
Pretexting
A method that involves a fake story (aka a pretext) that tricks the victim into sharing sensitive or personal information about themselves or their organization, downloading malware, or sending money and especially gift cards.
Baiting
A baiting attack can be physical, like when threat actors leave malware infected flash drives in public places for people to find and use, or online such as when attackers use enticing or misleading ads to get victims to click through to malware infected applications or websites.
Tailgaiting
Also called piggybacking, a tailgating attack is a physical security breach when someone attempts to enter a restricted area by following an employee or other individual who is authorized to be there.
This may be something as simple as tricking an employee into holding the door open behind them, or following them in without the employee realizing. Once inside, the attacker can gain access to documents or breach the network via a cyberattack.
Quid Pro Quo
This attack usually offers a helpful service first, then the malicious actor requests sensitive information or access to a system in exchange. A common example is an attacker pretending to be IT support and fixing a technical issue, then requesting login credentials or remote access, or impersonating a bank representative and asking for account details in order to ‘verify’ suspicious activity.
How you can protect yourself
Make sure you’re up to date on your company’s policies regarding physical building access and security. Don’t let anyone follow you into the building unless you know and recognize them. Don’t give out building codes or gate codes to anyone you don’t know. If someone looks like they’re delivering something, make sure they’re escorted to the appropriate location.
Enable two-factor or multi-factor authentication wherever possible, on all your devices. This reduces the risk that an attacker can access your accounts and limits the damage that can be done. Also, make sure you create your own secure passwords or use a password manager to do so for all of your accounts – particularly your sensitive ones like your financial accounts and personal accounts.
Always keep the best antivirus programs installed and current on your PC, and for your mobile devices running Android we have recommendations for the best Android antivirus apps. This means that even if a bad actor is able to trick you into visiting a malicious link or website, your computer or smartphone has an extra layer of protection to help keep you safe. Some of those programs also offer additional safeguards for your privacy and security by providing a VPN or a hardened browser.
Remember to learn to listen to your instincts. If something seems suspicious or too good to be true, it probably is. If you don’t know someone, don’t give them any of your personal information or access to any of your data. And even if an email comes through that seems to be from someone you know, check first.
