Defeating online con-men: Resisting social engineering and phishing attacks
In today's high-tech world, security threats abound. As online criminals like con-artists, identity thieves and sexual stalkers have come into the limelight, people have become increasingly more cautious. But many computer users are often completely unaware of one of the biggest threats in the electronic world - social engineering.
In fact, some experts say that social engineering will become the greatest threat to any security system, which includes personal computers, financial systems and even cell phones or PDAs.
So what is social engineering anyway? In simple terms, social engineering is a form of deception carried out by an attacker - an online con-artist, of sorts - that attempts to convince the victim to do something that would compromise their safety. This can include computer, financial or physical safety.
The strength and weakness of social engineering attacks is that they absolutely require human intervention. If the potential victim sees through the attack and realizes that the attacker(s) aren't who they claim to be, then the attack attempt has no teeth and no permanent damage is done. Education is key.
Many such attacks attempt to convince the potential victim to do something unwise like providing user names and passwords to their computer, providing financial account numbers or giving credit card numbers to an attacker who is often masquerading as someone or something else. Phishing attempts aren't restricted to computers and can occur via phone or other communication mediums.
Unfortunately, many users trustfully provide the information, not knowing that the attacker isn't legitimate or that the information may be used to harm them or others.
One early form of social engineering involved a circulating email message that claimed to be from an anti-virus and computer security institution, instructing users to check for a specific file on their computers. If the file was there, the message claimed, it meant that the computer was infected with a virus. The message instructed users to promptly delete the file to remove the virus. The problem was, the file was entirely legitimate and was required for normal computer operation. Many computer users blindly followed the instructions and soon thereafter had to find help to fix the problem.
Naturally, most recipients trust such messages from friends or family unequivocally, and to their own demise, often follow the directions in the email. Others forward the messages along to friends or family, thinking they are doing them a service. This is why social engineering attacks are often so successful.
To further the problem, many victims feel foolish for falling into the attacker's trap in the first place. Out of embarrassment, many victims will lie outright to a computer technician and deny they have done anything to their computer. But withholding such information makes it harder for the technician to diagnose and repair the problem, which only puts more anguish on the victim. A good computer repair technician understands that these attacks happen to the best of us and will be understanding and helpful in fixing the problem. Like with many other situations, a person's best policy in this situation is honesty.
Another common social engineering attack is sent in the form of an email message that parades as the potential victim's financial institution, and asks them to go to the site provided in the message and provide user names, passwords and financial account numbers to "verify" the person's account information.
And yet another common social engineering attack claims to be from a legal representative of a so-called long-lost relative that has died and willed their massive fortunes to the potential victim. All they need, they claim, is the user's financial information, and the riches will be transferred into the victim's financial account.
Sadly, many are intrigued by the prospect of being rich and follow the directions in the email. What these people find out is that these con-artists do the entire opposite - transfer every penny out of the victim's financial account, often swindling them out of hundreds or even thousands of dollars.
Like the saying goes, "if it's too good to be true, it probably isn't true." In the online world, this sentiment will save potential victims time and time again.
But many social engineering attacks aren't so easy to detect. Phishing, for example, is a form of social engineering that lures the victim into revealing information based on the false premise that an established brand name must be naturally trustworthy.
Phishing attacks often come in the form of website forgeries. An unsuspecting victim will visit the site thinking it is something else. When the user provides their user name and password, the attacker records it on the system and then uses it to access the person's financial account via the real website.
For example, suppose a person utilizes financial services through a fictitious bank called Example Bank. Example Bank has a website where customers can access their bank account online via the Internet. Suppose an attacker creates a site of their own that looks identical to the Example Bank's official site and sends a forged email to a handful of people, claiming to be from Example Bank.
Suppose one of the recipients decides to visit the attacker's site, not realizing it isn't legitimate. They attempt to login but receive an error page saying the service is temporarily unavailable and to check back in a few days.
At this point, the attacker now has the recipient's user name and password, which they use to access their financial account and swindle them out of money. By the time the recipient realizes what has happened, the attacker has already robbed them.
Fortunately, legitimate financial institutions are aware of most phishing techniques and the potential for problems that they bring. And as a result, most of them have already instituted policies and protections to help prevent such attacks from being successful. But it isn't a substitute for good education and sound judgment.
Browser makers have also come forward with help. Many modern browsers now include phishing features that try to detect website forgeries and immediately notify the user. Microsoft Internet Explorer 7 and Mozilla Firefox 2.0 are just a few of the several browsers that do.
But by far the best weapon people have against social engineering attacks is knowledge. With a heightened awareness and information about how attacks happen, people can protect themselves from being exploited in the first place.
Never delete system files or make system configuration changes without personal instructions (preferably verified by a phone call or personal visit) from a technical expert they know and trust.
Learn to protect and value their personal information. This means understanding when providing personal information is necessary and appropriate.
Never provide financial account information, user names or passwords via email or instant messaging (IM).
Never trust email messages that appear to be from their financial institution unless they have explicitly asked for them and know they are genuine.
Report any website forgeries of their financial institution's website to the institution itself.
Ensure anti-virus software and virus definitions are up to date.
Ensure their computer is up to date with the latest bug patches and security updates.
Refrain from installing untrusted or questionable software on your computer. Everyone should heavily scrutinize software downloaded from public networks like LimeWire or Gnutella.
Check with their local financial institution to gain additional information about policies and procedures the institution employs to protect customers from phishing and other forms of social engineering.
Have comments about this article or suggestions for a future Tech Tips article? Send an e-mail to firstname.lastname@example.org.