What is social engineering?

Dawn Irish
Wednesday, July 16, 2014 - 1:45pm

Social engineering is the act of creating a context in which an individual feels comfortable sharing sensitive information, such as a password, social security number or bank account number. Social engineering, when perpetrated via email, mobile device or telephone, is based on human factors that encourage savvy, intelligent people to divulge information they would be unlikely to reveal in a face-to-face interaction with a stranger. 

Your bank account has been compromised

For example, a hacker using social engineering techniques may “scrape” your bank’s website and create a fraudulent site that looks nearly identical to the real one.  The hacker might then send you an email stating that your bank account has been compromised and tell you it is crucial that you log in to their (fraudulent) website and verify your user name and password.   You click the link provided in the email the hacker sent and, at first glance, everything appears as it always does.  So you enter your username and password, giving the hacker everything he or she needs to steal the money in your bank account.

Stop. Think. Click.

There are many red flags in the above scenario.  First, no legitimate organization will ever send an unsolicited email asking you to supply your user name and password.  They already have it.  The hackers do not have your username and password and they hope you will fall prey to their scheme and give it to them.

The example above also creates a crisis designed to get you to act quickly out of fear.  Hackers often attempt to appeal to other personality traits as well, like the human tendency to be helpful, curious or to want to receive something for free.  Hackers hope that you will act without thinking too deeply about what is being asked of you.

Good rules to live by

  • Do not click links provided in email you suspect to be fraudulent.  Type the organization’s URL into a browser, like Chrome or Mozilla, and go directly to a website you know to be real.
  • Examine the communication carefully.  Are you addressed by name?  Or does it simply say, “Dear Customer,” “Greetings,” or “Dear YourEmailAddressHere?”  Are there grammatical or spelling errors in the communication?  Does something just seem a little off? 
  • Do not provide personal information over the telephone if you receive unsolicited calls. If you think the communication could be valid, call the customer service number located on your account statement or another location you know to be real. 
  • If you feel that you have fallen victim to a phishing scheme, immediately change your password and report the issue to the organization (Tufts, your bank, online retailer, etc.).

OnlineOnGuard.gov has some great resources for general cybersecurity awareness, including this video of what a phishing scheme might look like while you're at work.