We all know the basics—strong passwords, two-factor authentication, and so on. However, the most recent security and privacy breaches have had less to do with bad passwords and more to do with social engineering. Let's look at what that is, why it can happen without you knowing, and how you can protect yourself.


How Social Engineering Works (and Why You May Never Know You're a Target)

Strictly, social engineering is a technique to get around security systems—or any type of system—not by breaking through it or exploiting vulnerabilities in the system itself, but to exploit vulnerabilities in the humans around the system. Instead of breaking in or cracking a password, you convince a tech support agent to reset the password and give it to you, for example, or you trick a system into thinking you're an authorized user through some logical means using information you have available.


We've actually shown you some examples of this before. When we talked about how to convince someone you work in their building, that's technically social engineering (although it was for a mostly good cause.) Getting into parties and clubs without an invitation? Same deal.

At its heart, social engineering is an essential form of hacking—it works around or outside existing systems to obtain a desired result. And just as it can be used for innocent fun, it can also be used to steal identities, violate people's privacy, and cause serious harm. Just ask Mat Honan, who had his identity stolen a few years ago thanks to a little clever social engineering of support reps at Apple and Amazon. Now, we're seeing it again, no thanks to the celebrity photos leaked and lurking around the internet, obtained by social engineering, not brute force cracking or sloppy security. In this case, the intruders likely used known information to defeat security prompts, reset passwords, and obtain access to otherwise secured information. And the most interesting (and scariest) part is that this kind of social engineering is relatively easy given a little research into your target.


Most people think that social engineering involves engineering the target, and convincing them to give up useful information. That's one way to do it, but it's not the only way. In fact, the most successful methods involve never letting your target know until it's too late. Don't get us wrong, hackers and data thieves are still interested in your passwords, it's just that in order to get at your data, there are far more effective ways to do it than trying to brute force your Google account.

Why You Should Pay Attention to Social Engineering Attacks


Like we mentioned above, passwords are passe. You've probably already read our myriad guides to password security. You know to enable two-factor authentication wherever possible (including Linkedin). You know you should be using a password manager, know how to audit your passwords, and know password managers are still your best option even if they appear to be a single point of failure. If you're the type to make a password "password" or "123456," then you know who you are, and you know you should do better, but for one reason or another, you haven't.


Password security and two factor authentication have been driven into almost all of us. There are plenty more people who need to get on board, to be sure, but it's covered territory. Plus, even though passwords are easier to obtain and crack than ever, most hackers aren't interested in just passwords anymore. Remember the 1+ billion passwords a Russian gang picked up last month? Most of those identities are being used for spam, if they're being used at all. That's because identities—account usernames and passwords—are only as good as the information they store or have access to, and most malicious hackers are looking for targets with valuable information they can use, exploit, or sell.

Selecting a high-value target and using more advanced methods to get their data is a better use of an intruder's time. Given how well it works and how easy it is, that makes us all targets. The illusion that the average joe "doesn't have anything valuable" quickly diminishes as it gets easier and easier to use automated tools and social engineering to get access to your data.


How to Protect Yourself from Social Engineering Attacks


If we haven't established yet how easy it is to use social engineering to obtain information, this piece at The Washington Post explains how easy it is to hack someone's iCloud security questions—which is likely how some (but not all) of the aforementioned celebrity photos were obtained. Similarly, David Pogue posted his take at Yahoo, where he also debunked some common reactions to the whole affair. So, aside from teaching people not to be horrible jerks who violate each other's privacy and expose personal, private information to the world, what can we do to protect ourselves against social engineering attacks?

Obviously, never give out confidential information . We went into this in detail in our old guide to social engineering attacks you really shouldn't friend anyone who sends you a request

. We went into this Safeguard even inconsequential information about yourself . Security questions in particular are usually easy to defeat because they're systemically flawed. Users will want to pick questions that are easy to remember answers to, but that usually means they pick the questions easiest for an intruder to decipher, like "Where were you born?" or "What city did you go to high school in?" If you have to use security questions, be very careful with the information they request, and use the most obscure, nuanced questions available. You can always make a secure note in your password manager or an encrypted text file with the answers if you're afraid you'll forget them.

. Security questions in particular are usually easy to defeat because they're systemically flawed. Users will want to pick questions that are easy to remember answers to, but that usually means they pick the questions easiest for an intruder to decipher, like "Where were you born?" or "What city did you go to high school in?" If you have to use security questions, be very careful with the information they request, and use the most obscure, nuanced questions available. You can always make a secure note in your password manager or an encrypted text file with the answers if you're afraid you'll forget them. Lie to security questions, and remember your lies . You could just outright lie, and say you were born in Cincinnati when you were actually born in Little Rock, but you'll have to remember that lie. Alternatively, you could make up your own questions and use those answers instead

. You could just outright lie, and say you were born in Cincinnati when you were actually born in Little Rock, but you'll have to remember that lie. Alternatively, you could View every password reset email with skepticism . Even the ones that say things like "If you didn't request this, you don't need to do anything." I've found people hammering old accounts I used to have with password reset requests not because they think my account is theirs, but in the hopes they'll get a different kind of prompt eventually so they can hijack the account. They know I'm notified every time they try to reset the password, but they're betting on me not doing anything. Contact support for the service in question and let them know. The best services can freeze reset requests for your account, or will send you over to their abuse or security team who can investigate the source of the attack.

. Even the ones that say things like "If you didn't request this, you don't need to do anything." I've found people hammering old accounts I used to have with password reset requests not because they think my account is theirs, but in the hopes they'll get a different kind of prompt eventually so they can hijack the account. They know I'm notified every time they try to reset the password, but they're betting on me not doing anything. Contact support for the service in question and let them know. The best services can freeze reset requests for your account, or will send you over to their abuse or security team who can investigate the source of the attack. Watch your accounts and account activity . This is in the same vein as keeping an eye out for password requests, but there's nothing wrong with checking your Google Dashboard Mint or Personal Capital we've shown you how to monitor that for free on your own

. This is in the same vein as keeping an eye out for password requests, but there's nothing wrong with checking Diversify passwords, critical services, and security questions. This one should be common knowledge, but it's clearly not: Don't use the same password everywhere, and don't use the same security questions everywhere they're offered. Sadly, most banks and cloud service accounts recycle the same bank of common security questions over and over, and it can be tempting to have five services with "What's your mother's maiden name" as the security question. Don't do it—beyond the fact that your mother's maiden name is incredibly easy to find out using public information, it's just as bad as using the same password everywhere. Similarly, diversify your cloud storage services, email services, and other critical webapps and web services. Don't let one hack, if it ever happens to you, shut down your entire online life. You want to be able to isolate a hack quickly and have tools to react to it if it does.


For more tips, we've covered many of these suggestions (and some more) in our previous guides to protecting yourself against social engineering, as well as how to protect yourself from fraud and identity theft online and offline.


Keep an eye out. Social engineering and this kind of "soft" hacking isn't particularly new, but it's rising in popularity among even untrained and unsophisticated hackers, mostly because it's easy to do, can net a ton of information, and, of course, the human systems set up around our technology are almost always the weakest link in the security chain. A little attention to detail and vigilance goes a long way.

Title photo made using vs148 (Shutterstock) and B Studio (Shutterstock). Video from Hackers . Additional photos by Perspecsys Photos and Cory Doctorow .