The big news in online security right now is the recent AT&T hack that involved customer data being downloaded illegally from a “workspace on a third-party cloud platform”. AT&T states that only records of calls and texts were taken – not the content of those calls or texts or any other identifiable information besides phone numbers. And yet, it’s still a tremendous breach of privacy for all customers involved. Even with just a phone number, bad actors can use social engineering to find who the phone number belongs to and potentially target them for some malicious purpose.
With AT&T now joining the growing list of large entities allowing themselves to be hacked and failing to maintain the privacy of their customers, it’s a good time to talk about social engineering – and why the only ones we can truly rely on to protect our online integrity is ourselves.
What is social engineering?
Social engineering is the act of manipulating a person into giving up or revealing sensitive information that can aid in malicious cyber attacks. Phishing scams, spoofed emails, fake contests, offers too good to be true – they’re all forms of social engineering designed to exploit the human condition and prey upon very human emotions like fear and greed.
Social engineering is so prevalent because it works; it’s one of the leading causes of network and security compromises, and therefore one of the most costly for businesses and users alike. Why bother trying to hack a secure firewall when you can just trick someone into giving up their username and password or downloading a virus-laden piece of malware?
Unfortunately, with the proliferation of social media, most of the social engineering work for bad actors is often done for them. Places of birth, first grade teachers, high school mascots, favorite sports teams – it’s amazing the amount of personal information that we’re willing to give up for free! Everything we post, blog, or tweet about ourselves can potentially be used to answer our security questions or impersonate us over the phone.
And even if we’re not posting personal information online, that info can still leak out when big data entities like AT&T or LastPass get hacked from over our heads.
What’s the best defense?
Social engineering exploits human error, so education and alertness on our part are the best defenses against it. Here are some good tips to help guard yourself against the most common social engineering traps:
Be vigilant while checking your email. Phishing traps and spoofed emails have telltale signs to help you identify them as fakes. If the return address doesn’t match the sender, or if the email is CC’d to a list of other addresses you don’t recognize, there’s a good chance it’s fake. Also, you can hover your mouse over any links and look in the bottom-left corner of your browser to see the link’s destination; if the destination doesn’t match the identity of the sender, don’t click it! Always make sure you stop and think before you click any links or download any attachments.
Don’t use obvious security answers. You can apply the same method of creating good passwords to create good security answers and password hints. Make the answers to these types of questions or hints unique – something that only you know – instead of the factually “correct” answers that someone malicious could easily discover by looking at your Facebook profile. For example, if your security question is “What’s your high school mascot?”, make the answer your rival high school’s mascot instead, or even better make it some random word or phrase like “mascots make the world go round.” Whatever you choose, make sure your method is known only to you and remains consistent across all of your security answers so you don’t forget them.
Master your fear, lest your fear become your master. Social engineering works because it exploits our anxieties about online security, or aversion to confrontation, and our fear of the unknown in general. It’s normal to feel overwhelmed when someone is calling us claiming our bank account has been hacked, or when we receive an email alerting us that our driver’s license has been suspended. But often the best thing you can do is take a breath and evaluate the situation calmly so that you don’t make a decision based on your default reaction. Anyone pressuring you to react and do something right now most likely does not have your best interest in mind.