When we think about computer hacking, we usually envision expert programmers breaking into complex electronic systems with cutting-edge viruses, Trojans and worms. But a system is only as secure as its weakest link, and a rational hacker will always look to get the most benefit for the least effort and risk. So as we continue to improve the security of smartphones, tablets and computers, the weakest link (and thus the primary target) often becomes the person using the device.
Social engineering has always been a key tool in the hacker’s arsenal. While we spend our time thinking about passwords and encryption, social engineering bypasses most of these technical security measures. Social engineering is about manipulating people into circumventing security. This might be a hacker posing as a trusted employee to ask for insider information, or more commonly, a phishing email where the hacker asks for personal information by posing as a trustworthy organization.
Luckily, there are a few simple things we can do to protect ourselves.
No. 1: Trust but Verify
Social relationships are built on trust; we trust our families, we trust our friends, and we trust the companies that we do business with. We recognize these people and entities by their names, pictures and trademarks. But on the internet, these traditional authentication methods are often very easy to fake.
A few years ago, I was invited to speak at a major industry security conference. A couple of weeks later, I got an email from an unknown Gmail address with an attachment asking me to fill out my personal information in order to reserve my hotel room. After looking at it a few times, I forwarded the email to one of my conference contacts, who confirmed that the request was legitimate. I couldn’t resist pointing out the irony of requesting sensitive information from an unauthenticated source for a security conference.
Fast forward to this year, when I was fortunate enough to be on a TV show that highlighted my background and personality. A few weeks before the pre-taped episode aired, I was contacted by someone claiming to be a producer for the show requesting specific photos to use on TV. Since I hadn’t met the gentleman and didn’t recognize his contact info, I asked him a simple question: “Who finished in 2nd place during my episode?”
Both of these situations were false alarms, but I chose to verify them because:
- They were unexpected emails from unknown or untrusted addresses,
- They were specifically requesting personal information, and
- The time it took to verify them was trivial compared to the potential cost of not doing so.
No. 2: Read Web Links Backwards
The goal of phishing is to obtain personal information like passwords and credit card numbers. This is usually done by linking to a website designed by the hacker to look like a website you know and trust (e.g. Google or your bank). Since it’s often trivial to copy the text and images from the real website, the only indication you might have that you’re on a fake website is the web address (aka. the URL).
Web addresses read from right to left, so if you’re on https://www.google.com, you can be pretty sure it’s legitimate. To manage your Google account, you can go to https://myaccount.google.com. Here, “google” is the main second-level domain and “myaccount” is the subdomain owned and run by Google.
Phishers take advantage of the fact that most of us read from left to right, so be very careful with URLs like https://www.google.youcantotallytrustme.com. Reading the link from right to left, it’s obvious the website is actually not run by Google, but by whoever owns “youcantotallytrustme.com”. So who owns that domain? Anyone who wants to spend $12 CAD.
No. 3: Take a Step Back
Ever notice how you make more mistakes when you’re in a rush?
Scammers and phishers want you to act first and think later, which is why most social engineering tactics involve urgent requests. Before you click on a link or give out your personal information, take a step back and think about it. Ask yourself why a reputable company would send out such a message, and why it would come over email or text message. If your account really was compromised and needed to be immediately verified, wouldn’t they call you instead? And what’s with the weird grammar and spelling errors?
Once you know what to look for, phishing scams are often pretty straightforward. If you keep a cool head and trust but verify, you can protect yourself from the vast majority of scams. And as much as we’d all love to make some extra money helping a Nigerian prince, winning the Dutch lottery or simply working from home, we’re also smart enough to realize that if it sounds too good to be true, it probably is.