Social engineering is using deception as a means to gain access to normally restricted areas or data. Most people have an inherent desire to help people even when it might break the rules of business/security protocol, as well as a natural interest to understand the unknown. This makes social engineering one of the most successful methods of hacking despite it’s low tech nature. Some examples of popular social engineering attacks include: fake IRS calls claiming you own money, fake Microsoft calls saying a virus has been detected, emails that say you have won the lottery in South Africa, the list never ends.
To protect yourself from these attacks over the phone you have to think of these details:
1. Can I verify the authenticity of this person?
- You can start with the basics, look at the caller ID number and do a quick Google of it. Many websites exist for the sole purpose of reporting suspicious numbers.
- Ask the caller to state some information about you without giving them any hints. This very likely will result in them hanging up because they are looking for someone who trusts them from the moment the call is answered.
- When you pick up the phone and say hello and there is a 3-5 second pause before someone says anything back it is likely that they are using a program that detects voice activity so they can run through thousands of numbers in a short amount of time.
2. Does this person make logical sense?
- Social engineers usually try to make very general statements so they can try to get more information about you and start to build a more convincing call.
- Are they mumbling a lot? This is a way to try to get you to guess what the reason for the call is, and since the human mind tries to stay relevant to what is currently going on in your life you may start to hear words that were never said.
3. How do they know this particular detail about me?
- Think of who would or could know a piece of personal information about you such as a pets name or the street you grew up on. Having an active social media account in which you post a lot of personal details is a gold mine for social engineers that they will surely tap into.
Protecting yourself online:
1. Never click a link that does not look familiar, incorrectly spelled, or from an unknown sender.
- Phishing sites try to lure people into familiar looking websites that collect the data you enter into their fake login forms. Examples: Bank portals, Amazon logins, and Netflix logins.
- Be wary of clicking suspicious looking links even from known senders. It is common practice to use compromised email accounts to send out dangerous links since they know the receiver is more likely to click it.
- Never download and run a program that is not from its direct source. Example: downloading Google chrome from a non-google website, downloading a word processor from a site like Mediafire or MEGA. Viruses are very good at getting past anti-virus so do not rely on this. See my section on cryptors for more information on why this is the case.
- Website top level domains such as .tk, .zip, .review, .country, and so on are commonly used for malicious purposes. If you have never seen a website contain it before there is a good chance it is unsafe.
2. Configure your web browser to be as safe as possible.
- I have said this in multiple articles and I’ll say it again: get AdBlock Plus, HTTPS Everywhere, and Disconnect extensions for your web browser. My preferred web browser is Google Chrome because of their constant security auditing and updates.
3. Get a solid anti-virus and anti-malware but do not rely too heavily on them
- Anti-virus and anti-malware generally refer to the same thing but are marketed differently. An anti-virus will generally protect against a broad range of security threats while anti-malware generally target the harder to detect and remove threats.
- My recommendation for an anti-virus would be Kaspersky. They have come a long way from the Windows XP days which would slow your PC to a halt. Kaspersky is well respected in the computer security field and is constantly researching the most advanced computer viruses and exploits today.
- My recommendation for an anti-malware program would be Malwarebytes. Similar to Kaspersky they are well respected in their field and constantly research and implement removal techniques for the most advanced malware out there.
- These programs help improve your security but they do not leave your PC untouchable.
4. Practice good account security
- Use strong passwords that utilize under case letters, upper case letters, numbers, and symbols. Try to aim for 16 characters.
- Example of a strong password: +6X_X}4PDPMurnSn
- Example of a weak password: P455w0rd!
- Try to change all important account passwords (bank, email, etc.) every 10 weeks. This can be very annoying at first but if you turn it into a habit you will not be bothered by it eventually.
- Do not save passwords to your computer.
- Avoid at all costs using public computers to login to important accounts. It is very easy for hackers to install keyloggers on public computers that log your account details, making it very easy to gain access to any accounts you logged into.
- This is a good resource for generating secure passwords: http://passwordsgenerator.net/
- Separate your personal and business life by using multiple email accounts to sign up for websites.
- Use an alias when signing up for websites that do not need to know your personal information.
5. Google yourself every few months and make attempts to remove personal information
- Any information about yourself in the public domain can be used against you in social engineering attacks or even worse, identity theft. That is why you should Google yourself constantly to see what information has been collected about you. Sites like Spokeo and Radaris use automatic tools to collect and post information about you, however they respond to requests from people that wish not to be listed on their sites.
- To remove yourself from Spokeo search your name and copy the profile link associated with your name. Then go here http://www.spokeo.com/opt_out/new and post the link, type your email in the 2nd box, then confirm the link from Spokeo in your email. I recommend using a throw away email for confirmation.
- To remove yourself from Radaris seach for yourself then click the dropdown arrow next to your name and select “Remove Information”. You will be required to fill out a short form that requires email and phone number to confirm the removal. I am not a fan of giving out numbers to data collection companies so I would recommend using a throw away number from a messenger app such as WhatsApp.
- There can be a whole slew of reasons that personal information may be posted online about yourself to any number of websites and even though you cannot always have a direct role in removal of it there is an option:
- Contact the owner/admin of the website through email and explain that you would like certain page(s) with your info to be removed. DO NOT USE THREATS. This is a quick way to be dismissed because in most cases they are under no obligation to remove anything that is not SSNs or banking info. A good template would be as follows:
Hello Website Administrator of (Website Name),
I’ve found some of my personal information on your website located here: (URL(s))
My profession requires a high degree of privacy and I would be very appreciative if you could remove the pages listed above. Please email me with any questions you may have. Thank you and have a great day.- (Name)
- In my experience and relationships with Website Admins I can tell you that most would be pleased to comply if you ask politely. I can also tell you that if you begin making threats, legal or not you will be in a worse position than where you started.
- If you succeed in having the pages removed your next step is to remove the cached (stored) pages from Google. You can do this by copying the link(s) from the Google search page and pasting it to: https://www.google.com/webmasters/tools/removals where the page will be removed within a few days unless there is some error or bug.
In conclusion, social engineering is never going away because of people’s desire and passion to help others, which despite it’s security consequences it’s good to know there are good people left in this world. Just be a little more cautious good people. – Connor