The Internet has finally, and in so many ways, become an integral part of our every day lives. As familiar as we are with it, however, we still need to understand how best to navigate our way in this vast digital territory securely. We all face challenges when trying to understand how to protect ourselves, our families and workplaces, and increasingly, all of our sensitive information from Internet attacks.
Before we can begin to practice Internet security, we need to learn the language. Security terminology is unquestionably daunting. The vocabulary used in Internet Security is nearly as large and dense as that found in the fields of medicine or the military. In fact, many Internet Security terms borrow from medical or military terminology, and like these, they require more than a one-line definition and are best accompanied by examples.
This post is the first of a series where I will attempt to explain common – and confounding – security terms. I hope this and future posts help you navigate the twisty little maze of Internet Security passages and your input will definitely be food for thought for future posts.
What is social engineering?
Social engineering is an attempt to influence or persuade an individual to take an action.
Some social engineering has beneficial purposes; for example, a company may distribute a healthcare newsletter with information intended to influence you to get a flu shot. But social engineering is commonly used by criminals to cause the recipient of an email, text, or phone call to share information (such as your online banking username and password, or personal identifying information such as your social security or passport number) or take an action that will benefit the criminal, not the individual.
Criminal social engineering often has an emotional component, to cause the individual to act in haste; for example, an email notice that informs you that your credit card has been suspended due to suspicious activity, or a notice that you've won an item or lottery. This is the "lure". The criminal hopes that you will take the action indicated in the message you receive; e.g., visit a link in the text or email, or call a telephone number. The link is the "hook": a link from a "phishing" email or text often takes you to a fraudulent site that impersonates your bank's login page where the criminal hopes you will submit account credentials or personal information that he can use or perhaps sell. A telephone number may be just as dangerous: the party you call may be an individual skilled at eliciting personal information from you.
The most adept criminals make very convincing impersonations of legitimate and well-intentioned correspondence. To better understand how to protect yourself against social engineering, visit such sites as stopthinkconnect.org or apwg.org.