Whenever you think of cyber crime or hacking, you’ll probably think about a bad actor using their technical skills to break down digital defenses, and use technology or coding against you. Descending lines of green code, Matrix-style, on multiple screens, as the hacker types faster than the eye can see to break through your firewall…or something similar.
And sure, there are plenty of ways that bad actors can use technology or technical knowhow to exploit vulnerabilities in computer systems. However, some of the most successful and hard to prevent cyber attacks are not done by traditional ‘hacking’, and don’t really rely on technology at all! So-called ‘social engineering’ attacks rely on research, manipulation, trickery and an understanding of normal human behavior, and are some of the most subtle and hard to defend against cyber attacks out there.
Social engineering attacks rely on psychological tricks, persuading people to make mistakes, and capitalizing on human error. They exploit the naturally trusting nature of most people, and look to use personal information to persuade people to hand over data and information, or undertake activities, that allow the hackers to gain access to sensitive material or systems.
Because of the subtle nature of social engineering attacks, they can be hard to spot. Bad actors will find out personal information about their targets, and use the information to convince you that they are trustworthy. This could be by impersonating a boss, or even a family member, or by tricking their target into clicking links or downloading files that seem trustworthy.
However, there are some things to look out for that can help protect against social engineering attacks. Being vigilant and on the lookout for suspicious activity is always a good idea, and if you know what to look for many attempts can be prevented. Here are some of the most common things that can give the game away when it comes to a social engineering attack.
Who is it from?
The most obvious giveaway is the person who is sending you the message. If you don’t recognise the person sending the message, or the email address is different to the normal address you see connected to the supposed sender, this should raise red flags.
Watch out for emails from people outside your organization who you don’t usually communicate with, emails you don’t recognise at all, and addresses that come from suspicious or dodgy-looking domains.
Who else is it to?
The other recipients in a suspicious email can also provide a clue as to whether it is trustworthy or not. If the email seems like it is something relevant to you and your work, but you don’t recognise the other addresses copied in, or if the group or mix of people is unusual or doesn’t make logical sense, even within an organization, then alarm bells should ring.
What are those links?
One of the biggest red flags in an email, and coincidentally one of the main ways that social engineering attacks exploit vulnerabilities, are suspicious hyperlinks. You should always look at hyperlinks very carefully before clicking them, whoever has sent you the message. If the hyperlink looks odd, or is misspelled in any way, don’t click it. Similarly, be wary of shortened links like bit.ly or ow.ly. If the email just contains a hyperlink, with no other content or information, you should be extremely cautious.
One way to ‘test’ hyperlinks is to hover your mouse over it, and take a look at the link-to address. If it is different to the one suggested in the email or the text of the hyperlink, it is potentially dangerous.
When was it sent?
Of course, some of your colleagues might keep weird working hours, but the timing of an email can provide a clue about its legitimacy. If you receive something that you’d normally expect to get during business hours, but sent at a peculiar time (say 3am), then you might want to treat it with caution.
What is it about?
The subject line of an email can provide clues about how solid and trustworthy it is. If the subject line is irrelevant, or doesn’t correspond well with what the email is actually about, then you might want to investigate further. Equally, if the email seems to be replying to a message that you didn’t, or don’t remember sending, it could also be suspicious. A ‘reply’ can seem far less likely to be a trick at first glance than a random email out of the blue, so always pay attention to whether you actually sent anything to reply to in the first place!
What is that attachment?
Attachments to emails can be huge no-nos, and are one of the most obviously problematic elements of a social engineering attack. Things to look out for are attachments that don’t make sense with the subject, content or scope of the email, unexpected attachments, or attachments that are a potentially dangerous file type. In a work context, unless you are absolutely certain about the document you are opening, anything other than a .txt file should be treated with caution.
What is the content?
Finally we come to the actual content of the email. This can give you some pretty major clues as to whether the message is legit, or whether you should be concerned about it. If the sender is asking you to do something that will give you a reward, or if they are threatening bad consequences if you don’t do something, then it’s probably an attack! If the grammar or the spelling is poor, the content doesn’t make sense, or the messages just give you a bad feeling, think twice. Most of all, if the message is asking you to do something weird, uncomfortable or inappropriate, don’t do it!
Social engineering attacks can be subtle and hard to pick up, and it is not unusual for smart, alert people to fall victim to them. However, with some extra vigilance, and paying attention to the red flags mentioned above, guarding against them is totally possible!