What is social engineering
Social engineering is the act of manipulating people into performing actions or divulging confidential information. While similar to a confidence trick or simple fraud, the term typically applies to trickery or deception for the purpose of information gathering, fraud or computer system access; in most cases, the attacker never comes face-to-face with the victim.
- Pretexting is the act of creating and using an invented scenario (the pretext) to persuade a targeted victim to release information or perform an action and is typically done over the telephone. It is more than a simple lie as it most often involves some prior research or set-up and the use of pieces of known information (e.g. for impersonation: date of birth, Social Security Number, last bill amount) to establish legitimacy in the mind of the target.
- Phishing is a technique of fraudulently obtaining private information. Typically, the phisher sends an e-mail that appears to come from a legitimate business—a bank or credit card company—requesting "verification" of information and warning of some dire consequence if it is not provided. The e-mail usually contains a link to a fraudulent web page that seems legitimate—with company logos and content—and has a form requesting everything from a home address to an ATM card's PIN.
- Phone-phishing or Vishing uses a rogue Interactive voice response (IVR) system to recreate a legitimate sounding copy of a bank or other institution's IVR system. The victim is prompted (typically via a phishing e-mail) to call in to the "bank" via a (ideally toll free) number provided in order to "verify" information. A typical system will reject log-ins continually, ensuring the victim enters PINs or passwords multiple times, often disclosing several different passwords. More advanced systems transfer the victim to the attacker posing as a customer service agent for further questioning.
- Baiting is like the real-world Trojan Horse that uses physical media and relies on the curiosity or greed of the victim. In this attack, the attacker leaves a malware infected floppy disk, CD ROM or USB flash drive in a location sure to be found (bathroom, elevator, sidewalk, parking lot), gives it a legitimate looking and curiosity-piquing label, and simply waits for the victim to use the device.
- Quid pro quo means something for something: An attacker calls random numbers at a company claiming to be calling back from technical support. Eventually they will hit someone with a legitimate problem, grateful that someone is calling back to help them. The attacker will "help" solve the problem and in the process have the user type commands that give the attacker access or launch malware. For example, an information security survey revealed that 90% of office workers gave researchers what they claimed was their password in answer to a survey question in exchange for an inexpensive pen. Similar surveys in later years obtained similar results using chocolates and other inexpensive lures, although they made no attempt to validate the callers.
- Spear phishing is an e-mail spoofing fraud attempt that targets a specific organization, seeking unauthorized access to confidential data. As with the e-mail messages used in regular phishing expeditions, spear phishing messages appear to come from a trusted source. Phishing messages usually appear to come from a large and well-known company or website with a broad membership base, such as eBay or PayPal. In the case of spear phishing, however, the apparent source of the e-mail is likely to be an individual within the recipient's own company and generally someone in a position of authority.
How do you protect yourself against social engineering?
Awareness is an effective weapon against many forms of identity theft. Be aware of how information is stolen and what you can do to protect yours, monitor your personal information to uncover any problems quickly and know what to do when you suspect your identity has been stolen.
Armed with the knowledge of how to protect yourself and take action, you can make social engineering thieves' jobs much more difficult. You can also help fight social engineering by educating your friends, family and members of your community.
Here are some tips on how to fight a social engineering call attempt:
- Ask the requestor which company he/she works for;
- Question why he/she needs your confidential information;
- Take down the caller information and call the company to double check;
- Be careful not to disclose your Social Security number, birth date, PIN, credit card, etc. numbers to strangers.
Should you provide your password or user ID in an e-mail?
Cathay Bank does not request confidential information from customers via e-mail or pop-up windows. In addition, Cathay Bank will never ask you for your password. You should safeguard and not share your password with anyone.