Cybersecurity has had its time in the spotlight over the past 10 years. As technology becomes more advanced and more people are using technology every day, cybersecurity becomes more important. There are several cyber attacks that are fairly well known, such as ransomware and hacking; however, there is one type of attack that is more insidious than the rest… social engineering. You might ask why social engineering is worse than the other attacks. That is simple: it preys on emotion and personal interaction. If you have ever received an email that your bank account has been compromised and you need to change your password immediately by clicking a link in the email, you are the target of a social engineering attack.
Common Social Engineering Attacks
As a cleared service member, civilian, or contractor, you might be approached at your favorite hangout, or on a social media account… this is also social engineering. Here are some common social engineering attacks along with a few tips to avoid becoming a victim.
If you have never received an email asking you to send money to a Nigerian prince or some other sob story, consider yourself lucky. However, those early phishing email attempts are much more overt. Phishing emails today are much more sophisticated. Instead of a Nigerian prince you might get an email from Bank of American security department alerting you that your account has been compromised and you need to validate your log in credentials immediately. There is usually a link in the email which will take you to a spoofed website that looks like B of A, but really isn’t. Once you click on the link and “validate your login credentials” you have been hacked. To avoid this happening, call your bank and ask for verification that the email is legit. Or print the email and take it in to the bank for verification. Most companies today have phishing filters and if you get a phishing email, you can click on “submit email to security” for phishing review.
This type of attack is like phishing with the difference being the promise of something good or exciting after compliance with the request. You might get an email stating that you’ve won a prize and need to “click here” to claim it. The criminal will then request personal information such as your address, phone number and full name. Don’t fall prey to this type of attack, there is no prize worth giving up your personal information. When you get these emails or phone calls, simply delete them or hang up. Gmail allows you to mark these emails as spam, and they will be reported to Google for further filtering.
For those of us that work in a cleared space which requires a badge swipe or proximity tap, we know what tailgating is. When you are heading into your workplace and swipe your badge to enter the building, a person posing as a worker might try to follow behind you as you hold the door for them. While it is a nice gesture to hold the door, it could prove to be damaging. The last thing you want to do is let someone in the building who is not supposed to be there. There have been far too many workplace shootings and theft. It is okay to ask them to swipe their badge or show you their identification. This is one situation where it is perfectly ok to be rude and just shut the door behind you. Do not be the person that lets a criminal into the workplace because of tailgating.
Quid Pro Quo Attacks
This type of social engineering attack is like baiting; however, there is usually a far worse consequence involved. In a quid pro quo attack, or this for that, criminals will offer you something in return for your information. The most common type of quid pro quo attack is signing up for a bogus credit card or “free magazine subscription.” More recently, bad actors are setting up fake Social Security websites that promise to help you get a new social security number or card. Taking it a step further, they might reach out to you via phone and tell you your social security number has been compromised. They will then ask you to verify your number and personal details as well. This is an easy way for attackers to get all the info they need from you to apply for home loans, car loans, credit cards, and bank accounts. Don’t become a victim of quid pro quo attacks. If the “Social Security Administration” contacts you to verify your information, let them know you will come into the closest office and deal with it in person. Do not give out your personal information to anyone, unless you are in a legit institution, and they are asking you in person.