© Bank of America Corporation. All rights reserved.
“Social engineering” combines technology, our willingness to trust and deception to scam us out of money and sensitive data.
Cyber crime relies on increasingly sophisticated versions of malware, hacking methods, botnets and other technologies. But it also exploits tactics refined by criminals who pre-dated the internet by decades. Trickery, coercion and the human tendency to trust have always been among the most effective tools in crime, and cyber criminals know how to use them.
Online confidence scams often depend on what is known as “social engineering.” They exploit human fallibility and technology to prompt a targeted individual to act in a way that results in theft of money or information. These scams may also leverage a threat to make stolen, sensitive information public.
Using data harvested from social media sites, professional profiles, blogs, websites or local news reports — often over weeks or even months — cyber criminals can gain a nuanced understanding of users and often their families as well.
The criminals can use this information to methodically build a relationship with a person and gain their trust. Once trust is established, the criminals can make a simple request for the target to click a link, send money or share personal information. They also may perpetrate a scam through a fake message that appears to come from a trusted acquaintance.
Social-engineering efforts are often deployed against business employees, but anyone with an online identity can draw the attention of a cyber criminal. Financial loss and manipulation, however, are not inevitable. People who verify any requests for money or personal information can avoid falling for most online scams. Thinking twice about the details you share online can also reduce the risk of becoming a target of this type of methodical crime.
Social engineering is effective because many people are not careful to monitor the amount of personal information they commit to the internet. Social media sites and forums, for instance, usually have privacy controls that allow users to restrict the amount of personal information that can be seen in public. But many users do not apply these filters and allow all the information they post to remain in public view.
The most meticulous cyber criminals may put as much time into building a persona of their own. Once they reach out — as a fellow alumnus, school parent or sports enthusiast, to name just a few examples — they may be able to anticipate a person’s reactions with a high degree of accuracy, making it easier to act and respond in ways that establish trust.
Scams can take many forms. During the holidays, requests for gifts or charitable contributions are common. Criminals may send email links that contain malware that gives them access to people’s devices, personal accounts or data. Some may demand ransoms to release the device or stolen information.
Ending online communication and trusting no one at all is not a practical strategy. Fortunately, it isn’t necessary. It’s possible to enjoy the convenience and connection of life online by observing some essential precautions:
Cyber criminals can access a wide variety of information streams to create and exploit and incredibly detailed description of the people they target.
Think before you post. A social media post doesn’t need to include a checking account or Social Security number to compromise you. Before you share details about your home and loved ones, consider whether it’s really necessary.
Review the privacy settings. Make sure that any online account through which you share personal information does not allow unrestricted public access.
Monitor your accounts. Watch your accounts for any suspicious activity and close those that are no longer active. Make sure to also monitor the accounts of any dependents.
Verify any request for payment or personal information. Even if a request seems to come from someone you know, contact that person through another channel to ensure the request has not been made by an impersonator.
To help keep your account information safe and secure during this period, make sure your contact information is up to date and set up security and account alerts (deep link) so we can stay in touch. Remember, if we need to reach out to you, we’ll NEVER ask for personal or financial information or an access code through email, text or unsolicited calls. Visit our Security Center or the Stay Safe Online website for tips on how to recognize potential scams and learn more about how to keep your accounts safe.
Neither Bank of America nor its affiliates provide information security or information technology (IT) consulting services. This material is provided "as is,“ with no guarantee of completeness, accuracy, timeliness or of the results obtained from the use of this material, and without warranty of any kind, express or implied, including, but not limited to warranties of performance, quality and fitness for a particular purpose. This material should be regarded as general information on information security and IT considerations and is not intended to provide specific information security or IT advice nor is it any substitute for your own independent investigations. If you have questions regarding your particular IT system or information security concerns, please contact your IT or information security advisor.