Social Engineering

Social engineering is one of the biggest issues people and businesses have to deal with regarding digital threats, and this'll get worse as AI gets better. Scammers have figured out they can use fake video and photos to fool people, and if they are smart about using it to generate fake texts and emails, they can see even better results. The hard part about getting better at spotting social engineering is that it requires a good understanding of psychology. A good scammer understands the cognitive biases that humans are vulnerable to and uses them to their advantage. The basic premise of social engineering is this - use psychological manipulation to get somebody to do something that goes against their best interests.

This is a common tactic used to take over high profile social media accounts and phone accounts, an example being the 2020 Twitter Hack. In cases like that, the user can do everything right and still get their accounts taken over. In almost all social engineering cases, a scammer makes an emotional plea to get someone to "help" them. This is still an effective method they use, even on employees who take security training focused around the topic.

Note: having the best security software in the world isn't going to protect you from yourself if you throw caution to the wind. If an attacker gets you to click on a link and download an infected file or go to a fake website and enter your login info, the security software likely won't catch it. There's multiple reasons for it, some of which include files full of junk data too big to scan in certain cases, and new strains of malware with no known signatures in AV detection databases.

Mitigation

2FA: You're probably tired of hearing me say this is important but it's worth repeating, especially in cases like this, though with a caveat. 2FA is great but is not a silver bullet that can protect you from threats like fake websites and cookie stealers. Here's an example of how the former works: if you got a fake email saying your social media account needed attention and clicked on the login link to go to a fake website, if you enter your login before noticing the issue, your account will be taken over. This type of attack gets spammed to a massive amount of people, so the attacker usually sits at the computer all day waiting for login details to be sent to them. If you enter your password and 2FA code, the attacker only needs to be fast enough to type it in to the real website on their end before a new code is generated. Once this happens, your account is gone and now someone will likely make malicious posts, hence damaging your reputation.

Phishing/SMiShing/Vishing: These are similar to one another in that the message itself appears to be coming from someone legit. Because of AI, these types of attacks have got better, to the point where businesses are having to come up with better solutions to protect themselves from things like sending payments for fake invoices. In the case of Vishing, what you'll commonly deal with is a scammer who pretends to be a government employee (IRS or law enforcement), saying you'll go to jail if you don't send some money or a gift card. The way to deal with this is to not respond to anything you aren't expecting. If you are expecting some sort of communication and the matter has extra sensitivity, it's good to have verification measures in place to make sure you're talking to the person you intend to (e.g. if you get an email from a friend saying they are in trouble and need help, call a known number of theirs).

Pretexting: A pretext as it relates to social engineering is the creation of a fake scenario or identity to gain your trust. One of the most common scams for home users is still an email or call from someone claiming to be IT support and that they need access to your computer to fix a virus. In the workplace, the scammers are getting more crafty by doing a lot of research, and claiming to be from the helpdesk or some other section of the company. This is still an effective method if the scammers do enough preparation and have the confidence to back it up.

Baiting: This comes in a couple different flavors. The first is by leaving infected media around, such as a USB drive with a curiosity inducing name. Many people will think there is something sensitive on there and will be willing to try searching it for something interesting. The other form of baiting is when a scammer gets you to respond to them on a call or an email. They may make a fake pretext of you having unpaid bills and that you're going to be arrested if you don't send a gift card. A scammer who's good at this will know how to push your buttons and get you mad at them to reveal info about yourself that the scammer didn't already have (e.g. they claim you're someone you're not and you reveal your real info to counter this).

Beyond this, standard practices apply to help catch a scam. Look at the "From" address in emails, hover over links to see where they go (and always be cautious with link shorteners), don't open attachments unless you have verified they were supposed to be sent to you, and have a good level of skepticism of communications that are unexpected.