When we think of computer hackers, we often imagine a technical genius who’s turned to the dark side. However, hackers utilising a special type of attack will often employ tactics associated more with shady con artists than computer masterminds.
Dubbed “social engineering”, these attacks don’t require any particular computer savvy. Slick social skills and confidence in spades might be all that is required to get access to your account. Strong passwords are no match for this type of heist, with the weakest link in account security often being, well, humans.
In a social engineering attack, a hacker may pose as a banking official and call or send you an SMS advising you of suspicious activity; asking for verifying information such as the last four digits of your credit card number. You may be surprised by what this person already seems to know about you, knowledge which the hacker will use to gain your confidence and make any request seem perfectly legitimate.
Once they have your data, hackers can lock you completely out of your account by having your password reset. It’s often as easy as phoning technical support and claiming to have lost the keys to the account.
But won’t my security questions stop them?
Secret security questions can usually be answered by a simple Google search about you. For example, your mother’s maiden name from Ancestry.com, the make of your first car from an old tweet, the names of your pets or best friends from Facebook, the company you work for from your LinkedIn page, and many more.
Think you can’t be fooled? Think again. Social engineers often exploit our human instinct to trust authority and respond to crisis, duping even some of the most adept Internet users. A recent Wal-Mart hack in the US shows the ease with which this information can fall into the wrong hands, with a store manager simply handing over the keys to his identity when told he would be participating in a company-wide initiative.
So, what can I do to protect myself?
Simply being aware of common social engineering tricks is the first step towards keeping yourself safe. Be careful about what you’re sharing over the phone, online or in person unless you know exactly who you’re dealing with.
Real IT departments and financial services won’t ask for your password or sensitive details over the phone. As an extra step, tell any inbound customer service callers claiming to be from a company you have accounts with that you will call them back. Dial the official number of your service rather than risking it.
As well, avoid having all of your eggs in one basket. Reusing passwords across your accounts, as well as using a single email address for all your password reset requirements are recipes for disaster, making it child’s play for hackers. Keep ’em separated! (We’ll be posting more about how to fix this in later articles, so stay tuned.)
Also, be smart with your credit cards. Try not to let sites store your card number for convenience. If possible, look into using a service such as Entropay instead of your bank-issued card for online transactions.
Also be sure to check out your privacy settings on your social accounts. Facebook, Twitter and LinkedIn are making it easier than ever before to keep your profiles private. However, the default privacy settings of these services can leave much to be desired – be sure to check them regularly as they’re always changing.
Lastly, one of the best steps you can take is to secure your email address. Sign up to our Email Watchdog and let us do the hard work for you. It’s free for one email address.