If you have ever been tricked into giving your password to a fake website, you’ve been the victim of Social Engineering. Social Engineering is the “use of deception to manipulate individuals into divulging confidential or personal information that may be used for fraudulent purposes”. To put it simply, social engineering involves a criminal tricking you into giving up information that you wouldn’t otherwise want to give them. This is usually done by appealing to your emotions and creating a sense of urgency that is designed to make you not think rationally. This can occur both online and in-person. However, the most common forms of social engineering occur online.
如果您曾经被欺骗向假网站提供密码，那么您就是社会工程的受害者。 社会工程学是“利用欺骗手段操纵个人泄露可能用于欺诈目的的机密或个人信息”。 简而言之，社会工程学牵涉到一个犯罪分子，诱骗您放弃您本不想提供给他们的信息。 这通常是通过吸引您的情绪并创建一种紧迫感来设计的，以使您不理性地思考。 这可以在线发生也可以亲自发生。 但是，最常见的社会工程形式是在线发生的。
What Does it Look Like?Social engineering can take many forms, both online and in-person. Below are some of the most common and effective ways that criminals extract information from unsuspecting victims:
它是什么样子的？ 社会工程可以采取多种形式，包括在线形式和面对面形式。 以下是犯罪分子从毫无戒心的受害者中提取信息的一些最常见和有效的方法 ：
Baiting: This strategy involves leaving a USB or other physical device where an unsuspecting victim will find it and hopefully insert it into their computer. The USB could contain malware, ransomware, or other spyware to collect information for criminals looking to make a profit.
诱饵 ：此策略涉及将USB或其他物理设备留给毫无戒心的受害者找到，并希望将其插入计算机。 USB可能包含恶意软件，勒索软件或其他间谍软件，以收集信息以供想要牟取暴利的罪犯使用。
Phishing: By far the most common strategy and one that fills your spam inbox every day. Phishing involves sending an email or text to the target that usually contains a link to either a malware downloader or a fake website. Phishing attacks are considered a ‘shotgun approach’, meaning the criminals don’t necessarily know who their targets are. Instead, they try to get their message out to as many people as possible hoping that a few of them will click the link.
网络钓鱼 ：到目前为止，这是最常见的策略，并且每天都会填满您的垃圾邮件收件箱。 网络钓鱼涉及向目标发送电子邮件或文本，该电子邮件或文本通常包含指向恶意软件下载器或假网站的链接。 网络钓鱼攻击被认为是“ shot弹法”，这意味着犯罪分子不一定知道他们的目标是谁。 相反，他们尝试将消息传达给尽可能多的人，希望其中一些人单击链接。
Spear Phishing: Spear Phishing is a targeted version of phishing where criminals will try to craft emails that are indistinguishable from real ones in order to extract large amounts of money from companies. Spear phishing will usually target high ranking executives, people in Human Resources and Finance, or employees with a large number of privileges, such as system administrators. In order to make their emails look real, spear phishers are usually already in the companies email system before they attempt to imitate emails such as third-party invoices or purchase orders.
鱼叉式网络钓鱼 ：鱼叉式网络钓鱼是网络钓鱼的目标版本，犯罪分子将尝试制作与真实电子邮件没有区别的电子邮件，以便从公司中提取大量资金。 鱼叉式网络钓鱼通常会针对高级主管，人力资源和财务部门的人员或具有大量特权的员工(例如系统管理员)。 为了使他们的电子邮件看起来真实，鱼叉式网络钓鱼者通常已经在公司电子邮件系统中存在，然后他们才试图模仿诸如第三方发票或采购订单之类的电子邮件。
Email Hacking/Content Spamming: Another more targetted type of phishing. Criminals using this strategy will compromise one email account and then send malicious links to all of the victims' contacts. In this case, the emails have some credibility to them, since they are coming from a known contact.
电子邮件黑客/内容垃圾邮件 ：另一种更有针对性的网络钓鱼。 使用这种策略的犯罪分子会破坏一个电子邮件帐户，然后将恶意链接发送给所有受害者的联系人。 在这种情况下，电子邮件具有一定的信誉，因为它们来自已知的联系人。
Pretexting: This strategy can take place both online and in-person. Criminals will try to lure potential victims in with a story that sounds too good to be true (think Nigerian Prince offering you his fortune) in return for some personal information. This information is usually social security numbers or bank information that is needed in order to prove your identity.
借口 ：此策略可以在线和亲自进行。 罪犯会试图通过一个听起来听起来难以置信的故事来吸引潜在的受害者(以尼日利亚王子为您提供财富)，以换取一些个人信息。 该信息通常是社会安全号码或银行信息，以证明您的身份。
Quid Pro Quo: Another strategy that can be performed both online and in-person. The most common example of a quid pro quo attack is a criminal pretending to be tech support. To someone who is not technically literate, they may be confused by the jargon used by the criminals and believe that they are there to help. In reality, they give themselves access to your entire computer and can do whatever they want with it.
Quid Pro Quo ：可以在线和面对面执行的另一种策略。 换取最常见的攻击例子是冒充技术支持的犯罪分子。 对于不懂技术的人来说，他们可能会被犯罪分子使用的行话弄糊涂，并相信他们会在这里提供帮助。 实际上，他们使自己可以访问您的整个计算机，并可以用它做任何想做的事情。
Tailgating: A purely in-person strategy that involves following someone with elevated privileges into an area that they are not authorized to go into. This may be as simple as pretending to be a janitor who forgot their keys to the server room.
尾语 ：一种纯粹的面对面策略，涉及将特权较高的人跟随到他们无权进入的区域中。 这可能就像假装看门人忘记了进入服务器机房的钥匙那样简单。
Prevention TipsAs with all types of security attacks, there are safeguards that we can take to lower our own risk and stay safe. It’s important to understand that none of these attacks would be possible without the victim enabling them. As a result, many of the prevention tips revolve around the victims’ mindset:
预防技巧与所有类型的安全攻击一样，我们可以采取一些保护措施来降低自身风险并保持安全。 重要的是要理解，如果受害者没有启用这些攻击，就不可能发生这些攻击。 结果，许多预防技巧都围绕着受害者的心态：
Consider the source: If your bank was having an issue with your account, they would either call you directly or ask you to call their hotline.
Slow down: Many of these attacks are designed to create a sense of urgency. Take a step back and evaluate the facts before doing anything that may put your information in danger.
放慢速度 ：这些攻击中的许多攻击都是为了营造紧迫感而设计的。 在执行可能会使您的信息处于危险之中的任何操作之前，请退后一步并评估事实。
Don’t click on suspicious links or attachments: Always do your due diligence of hovering over links and thinking about the content of attachments before clicking them. If you have any doubts about the authenticity of the email or the sender, do not click on any link or attachment.
不要单击可疑的链接或附件 ：在单击链接之前，请务必尽力将鼠标悬停在链接上并考虑附件的内容。 如果您对电子邮件或发件人的真实性有任何疑问，请不要单击任何链接或附件。
If it sounds too good to be true, it is: Unfortunately, no one is going to offer you millions of dollars from a contest that you didn’t enter.
Don’t hold open locked doors for strangers: This tip is for those of us who work in office buildings with keycards. It’s important to understand that being polite shouldn’t come at the cost of security and if you don’t know the person behind you, don’t hold the door open for them without seeing their keycard.
不要为陌生人打开开锁的门 ：这个技巧是给那些使用钥匙卡在办公大楼工作的人的。 重要的是要明白，礼貌不应该以牺牲安全为代价，如果您不认识身后的人，则不要在没有看到他们的钥匙卡的情况下为他们敞开大门。
Don’t trust everything that you receive from contacts: More people are getting hacked every day. Just because someone is in your contact list doesn’t mean that everything that they send you is safe. Always do your due diligence with regards to links and attachments.
不要相信您从联系人那里得到的一切：每天都有越来越多的人被黑。 仅仅因为某人在您的联系人列表中并不意味着他们发送给您的所有内容都是安全的。 始终对链接和附件进行尽职调查。