Social engineering: how to protect yourself

Social Engineering is a key component of almost every type of fraud, and by formulating convincing lies, criminals exploit their victims through a series of social interactions, with intent to steal money, or to commit other white-collar crimes. As social engineers generally attempt to catch people off-guard, the best form of prevention is awareness.

Fortunately, this article has you covered, so get ready to learn all you need to know to defend yourself, both online and in-person.

Social Engineering is a way for criminals to steal sensitive information without hacking complex security systems. They use an array of manipulation techniques to build trust, and to deceive unsuspecting individuals. These techniques exploit aspects of human psychology to “engineer” the decision-making process, and to pressure victims into freely handing over their information, without realizing there is any danger.

To begin with, social engineers develop a convincing storyline to lure victims into a false sense of security. They may impersonate a person of authority, like a policeman or government official. Before the days of the internet, social engineering was mostly conducted through face-to-face interactions—think of Hollywood movies where con-artists gain access to high security buildings by using charm and wit. It’s important to note, however, that social engineers won’t always be pleasant. Many of them choose to adopt forceful, and sometimes threatening, approaches as these can be highly effective in directing time-critical scenarios.

In modern times, social engineering has become a serious threat online. It’s easier to send an official-looking email, or to entice someone into clicking a link, than it is to dress in official uniform or try to gain physical access to a privileged area. The risks associated with asserting a physical presence are much higher than if somebody were to carry out an attack online.

In any case, regardless of the technique(s) used, the goal of social engineering is to attain unsolicited access to something for the purpose of personal (usually financial) gain.

Security at N26

Your security is our priority. Arm yourself with our tips to protect yourself online.

Check N26 Guide to Secure Online Banking

How do they do it? Read below to find out the most common types of attacks to watch out for when partaking in online activities.

Social engineers use this tactic to coerce potential victims into sharing sensitive personal information. In order to achieve this, they may create a sense of urgency that compels their victims to comply with their demands within a certain time frame. In other scenarios, they may not always request information from their victims immediately; skilled social engineers will bide their time in order to build trust.

Unfortunately, where the majority of people are concerned, there’s no way to anticipate or even identify this type of social engineering. The most important thing to remember, however, is that you are always within your rights to question the identity of individuals claiming to represent organizations of any kind.

Baiting uses the false promise of an irresistible offer to lure people into a trap. Online baiting often takes the form of enticing adverts or ‘too-good-to-be-true’ offers. Imagine a link to download the latest Hollywood blockbuster for free, or a bright, flashing pop-up claiming you’ve won a cash prize.

Phishing is one of the most prevalent fraud types faced by individuals online today. One reason for this is that, following the initial collection of data, successful attempts are heavily reliant on social engineering practices. Phishing can be preceded by, or indeed followed by, a pretexting scenario.

With quid pro quo, criminals trick victims into handing over sensitive information with a promise of an exchange, either as a provision of service or items. A common approach is to be contacted by someone appearing to be from a tech support department, claiming they have been asked to fix a problem. When criminals strike it lucky and find someone with actual technical problems, they access the person’s computer and steal personal information, while pretending to help.

What better way to exploit social interaction than communication which appears to be sent from a close friend? This is a popular choice for fraudsters who hack email accounts and then spam messages to a person’s contact list. Messages generally contain an eye-catching subject line, such as “check out this cool website!”, or perhaps they will appear to link to popular social media platforms.

Believing the email to be sent from a friend, the recipient may eagerly follow the link. Rather than discovering a funny meme, or a questionable photograph on Facebook, the victim is redirected to a fraudulent website. Again, personal information can be stolen, or malicious software can be downloaded, from the destination page.

The specifics of social engineering techniques vary widely. Hackers are free to get as creative as they wish in their attempts of deception. However, below are some specific, real-life social engineering examples to give you a clear idea of what to look out for:

• Baiting: local and state government agencies in the U.S. were baited in 2018. They were sent old-fashioned envelopes, postmarked from China, containing a letter and a CD-rom. The disc contained malicious code hidden alongside innocent looking documents.
• Pretexting: a 2019 report from Verizon found criminals often pose as co-workers to deceive victims, for example, by imitating a company’s HR or financial department.
• Phishing: in 2020, a phishing campaign sent mass emails claiming to be from the World Health Organization (WHO). The message contained fake information on how to prevent the spread of the coronavirus. After attempting to download the document attached, victims were redirected to a fraudulent website.
• Quid pro quo: a large-scale 2016 study into Social Engineering by the University of Luxembourg found people were significantly more likely to share their password when given a small gift. This technique is effective as it exploits reciprocity, the psychological term for the obligation humans feel to return favors. So effective, in fact, that participants were enticed into sharing information when given a piece of chocolate!

Fortunately, although techniques vary, the countermeasures to social engineering are mostly the same. Vigilance is key, as is treating any forms of contact from unknown senders with suspicion. Other ways to protect yourself include:

• Always question the source of emails that request something from you. Pay especially close attention to the sender’s details, and to any URLs.
• If correspondence appears urgent, take your time and don’t be pressured into taking immediate action. This is one of the most common ways social engineers force people to act first and think later.
• If an offer—online or offline—appears too good to be true, it probably is. Remain vigilant.
• Protect your devices by using genuine, well-respected antivirus or firewall protection.
• Use multi-factor-authentication (also known as 2-Factor Authentication or 2FA), which uses your smartphone, or another device, as well as a password to access your accounts.
• Always double check links sent in emails, and, if in doubt, visit the website in question directly by typing the address into your browser, rather than clicking on the link in the email.
• Don’t download files, share personal information or follow links from unknown senders.

As we mentioned in the beginning of the article, awareness is the number one form of defense against Social Engineering. Criminals are relying on you to be caught off-guard, but armed with this knowledge, rest assured you’ll be one step ahead in this game of deception.

The bank account that gives you more control

Spend and save with confidence, and discover a better way to manage your money

Get bank account (new tab)

N26 uses 2-Factor Authentication by default—in addition to entering your password, you need to confirm login attempts on your paired smartphone. To make your account even more secure, choose a strong password or passphrase, and don’t use this password for any other accounts.

Here are some other things to keep in mind:

• We will never contact you threatening to close your account if you don’t respond within a specified time-frame.
• We will never ask you to disclose your login credentials via email, phone call, or SMS.
• We will never ask you to log in into an account that has been created on your behalf.
• We will never contact you via Whatsapp, or any other private messages services.

If you have received any such emails, please report this to our Customer Service team as soon as possible. You can get in touch with them directly through our app, or by sending an email to support@n26.com.