Social engineering is an attempt to influence or persuade an individual to take an action. Some social engineering has beneficial purposes; for example, a company may distribute a healthcare newsletter with information intended to influence you to get a flu shot. But social engineering is commonly used by criminals to cause the recipient of an email, text, or phone call to share information (such as your online banking username and password, or personal identifying information such as your social security or passport number) or take an action that will benefit the criminal, not the individual.
Criminal social engineering often has an emotional component, to cause the individual to act in haste; for example, an email notice that informs you that your credit card has been suspended due to suspicious activity, or a notice that you've won an item or lottery. This is the "lure". The criminal hopes that you will take the action indicated in the message you receive; e.g., visit a link in the text or email, or call a telephone number. The link is the "hook": a link from a "phishing" email or text often takes you to a fraudulent site that impersonates your bank's login page where the criminal hopes you will submit account credentials or personal information that he can use or perhaps sell. A telephone number may be just as dangerous: the party you call may be an individual skilled at eliciting personal information from you.
The most adept criminals make very convincing impersonations of legitimate and well-intentioned correspondence.
To better understand how to protect yourself against social engineering, visit such sites as stopthinkconnect.org or apwg.org. You may also enjoy this interesting infographic on social engineering from the team at Social-Engineer, Inc.
This post is one of a series, Raising Security Awareness One Security Term at a Time, originally posted 15 June 2015 at ICANN Blog.
Comments
You can follow this conversation by subscribing to the comment feed for this post.