Security blogs

Cyber-crime, Social Engineering, and You: Staying on Guard (Even When You’re Not)

With special thanks to Kylie Watson, Sociologist: Digital Innovation Specialist, for this article.

It goes without saying that the majority of people reading this article are on guard against identity theft when they’re online. They’re looking for secured connections when inputting information like credit card info, they’re vetting the sites they shop from, they’re abstaining from clicking on suspicious email links—if this sounds like you, you probably consider yourself to be fairly safe online.

But perhaps there are a few things you haven’t considered, things that could well lead to you being more vulnerable than you previously imagined. First: social engineering tactics have evolved. Second: identity thieves have perfected ways to hit you at your most stressed, tired, and inattentive.

I’m not all that involved in my personal social media accounts—at least not by today’s standards! As a matter of fact, I save interacting with them until the end of the day, when I’ve completed all of my “to-dos.” For example, I like to pour a glass of wine, snuggle up on the sofa, and see what my friends and family have been up to since the last time I checked out their Facebook feeds. Facebook is a super-reputable website, and I’m literally looking at content from my friends and family, not Nigerian Princes, so what could go wrong? It’s not like there’s going to be a killer virus embedded in my sister’s updates.

It turns out the answer is “quite a bit.” I’m very informed in regards to cyber security, and I’ve been (almost) caught out twice recently by scams which were couched in a very carefully constructed context—namely one in which I would be vulnerable due to weariness and stress.

The first is one which many of us are quick to dismiss (given that the contests often look unprofessional to begin with): a survey with a chance to win a free iPhone. When the survey gives you the run around, it’s easy to tell that it’s a scam for (at least) additional survey information rather than a legitimate contest. This one didn’t do that. In fact, it seemed like a completely viable survey—right up until I got to the section that required credit card information to win.

The second was a bit sneakier. It was linked from a site many of us enjoy visiting on a regular basis: Facebook. As I mentioned above, I like to use my personal social media accounts to unwind, and this night was no exception. Part of that unwinding is the occasional participation in those harmless, silly, Facebook quizzes. You know the ones—which Disney villain or princess are you? (I’m always hoping for Maleficent), etc. They’re meaningless fun, which is exactly what makes them perfect for couch potato time.

Except, not all of them are meaningless fun. Many of these quizzes intersperse questions that seem harmless enough in context (your birthday, in a quiz about your astrological sign, your pet’s name, etc.), but these are bits of information that an astonishing number of people use in their passwords. They’re also information which can be very easily used to defeat security questions on many sites. I was nearly halfway through a quiz of this nature when I realized what was going on.

When we’re online, we’re frequently besieged with warnings about “hacking.” Hacking, as it is generally understood, requires someone to gain inappropriate access to your information due to their ability to manipulate code.  But that is only a small part of what malicious users do to co-opt the information of strangers. Many of the tools they utilize fall under the umbrella of “social engineering.” Social engineering requires no knowledge of computer science—merely a knowledge of when and how to get human beings to divulge information.  Social engineering is how hackers get your information when you’re tired, stressed, and ready to kick back and do a few Facebook quizzes and catch up with your family.

It’s not that you should never, ever have your guard down. But we should have defensive strategies in place for those times that we do make mistakes. There are a number of ways that we can do this. Being behind a VPN is one way—it prevents hackers and other ne’er do wells from associating the information we share with our local IP address.  Keeping anti-malware and anti-spyware software up and active is another, to prevent slip ups from leading to an infection. Of course, the best prevention is always to be more careful—but I’d like to believe we’re always trying for that.

It’s vital that we protect our systems at home (including our mobile systems) as much as possible, and that we protect ourselves as much as possible. Part of that means knowing when and where to divulge information—but another part of it means setting up software protection, knowing that sometimes, maybe, we might divulge more than we should when we’re vulnerable.

You may also like
Psychological and Security issues when working from home
Can you Hack IT?
Interesting scam alert
Why Security Awareness Does Not Work and What to Do Instead