Every one of us seems to have received emails like this:
Congratulations! Your email address has been selected as the winner of $1 million dollars. Please contact our agent below to claim the prize with your winning number: 123456ABCD.
While this particular message may look benign, there are legions of people coming up with far more underhanded and clever ways to scam you--and those threats are not all online. Letting things slip when talking to neighbors or even chatting up a telephone solicitor can leave you vulnerable to getting hacked. Sometimes even the experts, or hackers themselves, get dinged for carelessness.
What can you do to avoid being hacked? In a heated discussion on Reddit this week, social engineer Chris Hadnagy, who tests the network security of companies using tactics such as phishing and keylogging scams, shared his tips on cybersecurity from a hacker's point of view. (Social engineering, for the uninitiated, refers to the tactics of psychologically influencing peoples' behaviors to get information.)
Also known as loganWHD on the web, Hadnagy says in order to test companies' system frailties, he phished around 275,000 people last year and about 1.6 million are on deck this year.
Here are five things hackers don't want you to know:
1. They look for an in, both online and offline.
Besides not clicking on suspicious links or opening attachments from unidentified sources, you need to be skeptical in the offline world too. Hadnagy says that he once sat in the presidents' conference room of a company just by saying that he was there doing a quote for pest control. If he could get into the conference room imagine if he happened into your office while you were at lunch?
Similarly, phone calls can leave you vulnerable. Hadnagy says you shouldn't be afraid to say "I don' t know" to suspicious phone calls asking for personal information.
At your company, make sure the security guards follow the rules to check everyone's badge--that includes big groups of people coming back into the office after lunch. So-called "tailgaters" have been known to tag along to big groups to avoid suspicion from security guards.
"The average attacker is looking for the low hanging fruit," says Hadnagy. "I try to tell people that we have to live in this world."
2. They like lazy people.
"The level of paranoia you display should be commensurate to the info you are protecting," says Hadnagy.
Don't be afraid to be someone who tries to remember a password made of 16 random characters and doesn't store it in any password managers such as LastPass. The safest security box for your passwords is your mind. If you were to use a password manager, Hadnagy says, make sure it doesn't store your passwords in the cloud or on the web.
3. Your vanity can be used against you.
Social engineers, like Hadnagy, train themselves to listen to others, rather than talk about themselves. The tactic, called "Ego suspension," means to "suspend your need to be right and important--even if you are."
The most dangerous hacker knows to let you give out all your information while he's listening, not talking. In social engineering, Hadnagy says, ego suspension is an important way for engineers to build rapport and get people's trust.
Once you know that, you should take care not to talk too much about your personal information to strangers--even your neighbors. In the end, who knows what they would do with your personal information.
4. The more you put online, the easier you are to hack.
We all have situations when we have to sign up for a site to get information and we are pretty sure that we won't be visiting that site for the rest of our life. Do you still use your regular email address?
Hadnagy suggests to set up a new email account just for these scenarios. This way, companies can't spam you with useless information or sell your real address to other parties.
He also says that people should regularly check online and cleanse their information. Data aggregation websites, such as Spokeo.com, collect your personal data like email or phone numbers and make them searchable. And though it may be tricky to get these companies to remove your information, it's not impossible. Even Google just began to scrub search results at the request of some European citizens after a court ruling.
5. You aren't invincible.
Even if you haven't done anything wrong, don't think you won't fall victim to hackers. Even Hadnagy himself got hacked before. In one situation he almost got phished by an email that seemed to be from Amazon.com, except it ended with an ".ru" extension.
Hadnagy said that "smart scammers" often focus on the long run instead of instant financial gains. The Target data breach, for example, was not just about credit card numbers. The hidden danger was that people could use the information to do long-term damage like stealing your identity.
Falling into the trap of thinking your invincible is "human nature," Hadnagy says. "The difference is that I know what I see now and can stop, think and correct my course."