Let’s say you’re sitting at a coffee shop working on your laptop and a friendly but frustrated patron comes over to your table. He had a coupon for the cafe, he tells you, but it’s in his email and he forgot his phone at home. Could he bring it up quick on your computer to get the coupon code?
Being the kind, helpful person you are, you readily agree. But you are also cautious and make sure that you can see the computer screen the whole time the man brings up his email and opens a PDF for a quick look at its code. He then thanks you and logs out of his email, allowing you to get back to work.
A good deed done? Or….
Let’s say you’re at the office and a call comes in from a charitable organization raising money to fight a disease that has affected your family. There’s a walkathon happening, they explain, and a prize drawing for donations. You express your interest, especially when you hear that the prizes include tickets to your favorite musical group, and happily open the PDF the caller sends you, a flyer detailing the event.
An opportunity to help a cause near to your heart? Or….
Something else.
Both of these scenarios are actually examples of social engineering, the relational aspect of hacking in which the criminal relies more on human nature for their attack than on cracking a password or infiltrating a firewall. Perhaps while reading this you recognize the con right away, but place yourself for a minute in these situations and think about what you might have done.
The good deed was actually just a way for the criminal to open up a malicious PDF – via their email – that would allow them to gain access to the computer’s data. The charitable organization had learned personal information about you from Facebook or other social media (like a disease that had effected your family and your taste in music) and used it to make you more interested in supporting the walkathon, which was really just a virus that you willingly opened in your own email.
Devious, isn’t it? But hackers know that often the weakest link in a person or organization’s internet security is the people not the firewalls and security systems. The people.
For more information on social engineering and helpful tips for protecting yourself, check out the following sites and articles:
http://www.fraudaid.com/index.htm
http://www.social-engineer.org/framework/general-discussion/social-engineering-defined/
– http://www.dhs.gov/es/blog/2011/07/12/protect-yourself-against-social-engineering-attacks