Social engineering techniques are among the most powerful tools in the hackers' toolbox. Generically, social engineering is the motivation of someone ('the mark') to disclose personal or other important information that the hacker can use to their own advantage (e.g., to steal an identity in order to exploit financial information or extract an important password in order to break into a server).
Just like the traditional grifters of the past, hackers use the general tendency of people to want to 'be nice', 'stay out of trouble', and/or 'protect their own assets' to motivate them to give out information – and even feel good about doing it.
Vigilance is the only defense against social engineering. Look for these markers to know you're getting ready to divulge too much:
- "Here's your big chance to play the new fantastic version of the [xxx] game!" The link, of course, goes somewhere where they will extract some private information (real name? a password that might work somewhere else? your birthdate in order to prove you are 'old enough' to play, etc.). This really is the #1 rule: Avoid clicking links people send you instead of using a search engine to find the proper link.
- Anything that sounds too good to be true probably is. It is unlikely that you have won the Irish Sweepstakes, even if you elect to send in a $1,000 security payment.
- Any time you get a solicitation in email that you did not request – even from a trusted friend – should be discarded immediately. No reputable company works this way.
- Email with misspelled, mispunctuated, or bizarrely formatted text is almost surely a scam.
- If something feels like it requires action, confirm via telephone with someone you know (or at least can verify, e.g., by calling the corporate headquarters) before you send money. A recent scam asks for money because your best friend (or aunt or grandmother or ...) is caught in Europe (or some faraway place) and can't return until they pay bail, or a fee, or some other money-requirement. You, the trustworthy friend or relative can help them! Call them at home to make sure they're not there before sending money.
- Any time you are getting ready to feel good about giving away some money or information,think twice: Why am I really doing this? Do I know who is on the other end of my bequest? "Hey, John, please remind me of the combination to get into the machine room." Who is really asking?
- "Please come back to FaceBook!" The link, of course, goes to a FaceBook look-alike which presumably reaps your name and password. Avoid clicking links people send you instead of using a search engine to find the proper link.
- "Please call this number to verify [xxx]." You'll get a recording asking you to leave all sorts of useful information. Don't even think of calling telephone numbers you can't verify (perhaps by checking a phone book or institutional phone list) sent to you unsolicited in email.
- Keywords to avoid: verify, account, won, lottery, respond [now, quickly], or you will suffer [some horrible thing] See these? Click delete.
- Vishing: These same pitches and scams work in airports, for panhandlers, and all sorts of non-computer scammers, too, by the way. They even work when people call you on the phone! "Hey, Jill, this is Ralph over in accounting. I've forgotten [xxx], can you help me out?" Look up their number and call them back.
- SMSiShing: Same idea for text messages are you phone. Don't believe a bank will text you; call them on an independently verified number.
With eyes wide open, the Internet can be a happy and safe place for many sorts of transactions.