When you get anti-hacking advice, you’ve probably heard, “Don’t use a simple password,” or “Don’t plug in that USB you found on the ground.”
But there’s one form of hacking that doesn’t always require a computer, and it costs businesses about $4.88 million a year.
Modern hackers aren’t trying to get into your computer, they’re trying to get into you.
“They’ll try to learn about you a little bit, and they’ll try to use that information against you to try to get you to complete some action, maybe to send somebody some money,” said Kevin Moran, an assistant professor of Computer Science, Cyber Security and Privacy Cluster at the University of Central Florida.
IBM calls this human hacking because it exploits human error instead of system error.
“With people just being busy and maybe not very carefully checking some of the emails or the phone calls that they get, can be something unfortunately that people can fall victim to,” said Moran.
Also known as social engineering, this often takes the form of phishing, where the hacker tries to “fish” the information out of you by impersonating family, friends, or even your bank.
There’s also baiting, where the hacker baits you with something of value.
Remember the Nigerian prince scam? That’s a famous example of baiting.
There’s also pretexting, where the hacker will claim the victim has already been hacked, and that the hacker can fix it if you just send over your passwords.
So, what can you do?
“Just as a rule of thumb, instead of clicking on links and emails, just go to the website yourself. And that will prevent a lot of these types of attacks from happening,” explained Moran.
Phishing can take many forms.
Spear phishing targets people with access to confidential information, often to gain access to an entire business, and whale phishing targets CEOs or political figures.
Search engine phishing is when hackers create fake websites promising services or goods you’ll never receive.
Angler phishing is when hackers create fake social media accounts impersonating famous people or companies.
Finally, vishing and smishing is phishing done through phone calls and texts respectively. ,