How cyber criminals engineer deception online
“Social engineering” combines technology, our willingness to trust and deception to scam us out of money and sensitive data.
- Effective online social engineering scams coerce unsuspecting individuals into taking actions that can result in financial loss or information theft
- Cyber criminals use social media sites, professional profiles, and websites to learn about and gain the trust of unsuspecting individuals
- Being cautious about sharing personal information and reviewing your privacy settings regularly can help you reduce your exposure to cyber criminals
Cyber crime relies on increasingly sophisticated versions of malware, hacking methods, botnets and other technologies. But it also exploits tactics refined by criminals who pre-dated the internet by decades. Trickery, coercion and the human tendency to trust have always been among the most effective tools in crime, and cyber criminals know how to use them.
Online confidence scams often depend on what is known as “social engineering.” They exploit human fallibility and technology to prompt a targeted individual to act in a way that results in theft of money or information. These scams may also leverage a threat to make stolen, sensitive information public.
Using data harvested from social media sites, professional profiles, blogs, websites or local news reports — often over weeks or even months — cyber criminals can gain a nuanced understanding of users and often their families as well.
The criminals can use this information to methodically build a relationship with a person and gain their trust. Once trust is established, the criminals can make a simple request for the target to click a link, send money or share personal information. They also may perpetrate a scam through a fake message that appears to come from a trusted acquaintance. Social-engineering efforts are often deployed against business employees, but anyone with an online identity can draw the attention of a cyber criminal. Financial loss and manipulation, however, are not inevitable. People who verify any requests for money or personal information can avoid falling for most online scams. Thinking twice about the details you share online can also reduce the risk of becoming a target of this type of methodical crime.
Personal details build trust
Social engineering is effective because many people are not careful to monitor the amount of personal information they commit to the internet. Social media sites and forums, for instance, usually have privacy controls that allow users to restrict the amount of personal information that can be seen in public. But many users do not apply these filters and allow all the information they post to remain in public view.
The most meticulous cyber criminals may put as much time into building a persona of their own. Once they reach out — as a fellow alumnus, school parent or sports enthusiast, to name just a few examples — they may be able to anticipate a person’s reactions with a high degree of accuracy, making it easier to act and respond in ways that establish trust.
"Social engineering is effective because many people are not careful to monitor the amount of personal information they commit to the internet."
Scams can take many forms. During the holidays, requests for gifts or charitable contributions are common. Criminals may send email links that contain malware that gives them access to people’s devices, personal accounts or data. Some may demand ransoms to release the device or stolen information.
The best defenses: monitoring and verification
Ending online communication and trusting no one at all is not a practical strategy. Fortunately, it isn’t necessary. It’s possible to enjoy the convenience and connection of life online by observing some essential precautions:
Think before you post. A social media post doesn’t need to include a checking account or Social Security number to compromise you. Before you share details about your home and loved ones, consider whether it’s really necessary.
Review the privacy settings. Make sure that any online account through which you share personal information does not allow unrestricted public access.
Monitor your accounts. Watch your accounts for any suspicious activity and close those that are no longer active. Make sure to also monitor the accounts of any dependents.
Verify any request for payment or personal information. Even if a request seems to come from someone you know, contact that person through another channel to ensure the request has not been made by an impersonator.
Explore more of our latest thinking
Be cyber-secure: Protecting your family online
Be cyber-secure: Hone your password-writing skills with this quiz
Be Cyber-Secure: Ways to protect your business and your customers