When most people are asked to think about online safety and security, their thoughts will likely turn to computing devices including traditional desktop setups, laptops, smartphones and, for the most technologically savvy among them, the latest in wearable devices.
Naturally we’re keen to promote such thinking, and provide you with plenty of tips, guides and reviews to help you along the way, but technology is only really half the story.
The other aspect of online security – and it’s typically the most overlooked element – happens to be far more important: the human element.
While computing devices themselves are technically capable of being infallible, they all remain slaves to human interaction, be it in terms of the code underneath their operating systems, or the quality of programming that goes into the software they run.
Even more so, computing devices are at the whim of a range of human beings with differing levels of security knowledge and awareness, and that’s the level at which things tend to go wrong.
Beyond the interaction of people and machines, there is another level at which human fallibility comes into play, and it’s an area that is often exploited with great effectiveness.
Often termed “hacking the human,” social engineering is a skill defined by human interaction expert Jenny Radcliffe as:
"Manipulating, conning and deceiving human beings with the goal of gaining access to data, premises, funds or information that they would otherwise have kept restricted, secure or private".
A good social engineer will use their skill set to target human weaknesses in an effort to circumvent controls and procedures that would otherwise prevent them extracting the information they require.
What sort of data would a social engineer be after?
The answer to that question could be just about anything in this, the information age.
All data has value and we place an increasingly large amount of it on our computing devices and the web.
There are of course some areas of particular interest to a people hacker though, and they tend to be financial in nature.
That’s why we still see so many phishing scams which attempt to dupe the unwary into giving up bank or credit card account details, for instance.
Also, other forms of personal data are becoming increasingly important to the bad guys who can use it to gain access to online accounts.
We’ve seen recently, for example, how hackers used Social Security numbers, addresses and birth dates to gain entry to IRS tax returns which in turn allowed them to make fraudulent tax rebate claims.
But there are many avenues a social engineer will look to exploit in an attempt to steal from you, or gain access to something or someplace they shouldn’t.
Why does social engineering work?
It’s all about psychology.
By creating fear (“your account has been compromised – please login via this malicious link and change your password now”), the savvy criminal seeds a very compelling call to action that far too many people are likely to heed (ProofPoint’s recent ‘The Human Factor‘ report says 41% of all malicious links are clicked on).
Equally, a social engineer will rely upon other tactics such as curiosity (a funny image you just have to look at), urgency (a friend has been stranded in a foreign country and needs your urgent assistance to get home) or a tugging of heart strings (an email from a charity for sick children, along with a handy link allowing you to send your cash straight to the criminal).
How can you mitigate the risk of social engineering?
The first tip here is quite an obvious one, though all too often overlooked: never share your personal or financial data with anyone.
That includes usernames, passwords, PIN numbers and any other data that reveals anything about you that could be of use to a criminal.
Secondly, always verify who you are talking to, either in person or over the phone. If someone claims to represent a bona fide organisation they should have no problem if you ask to verify their ID card or call back via a verifiable phone number.
Thirdly, never open emails, and especially attachments, from unknown senders. Such communication is often used to spread malware or phish for personal information.
Lastly, secure your computer: spam filters are becoming increasingly adept at identifying bogus emails and preventing them from ever reaching your inbox.
Security software, such as antivirus programs and full internet security suites, often include tools that can identify or block phishing emails, as well as protect systems from the more direct threat posed by malware.