The Practical Guide To Mac Security: Part 6, Social Engineering

Even if you have a strong password and use two-factor authentication, your Mac and accounts can still be vulnerable to social engineering when you fall victim to simple scams.



Check out The Practical Guide To Mac Security: Part 6, Social Engineering at YouTube for closed captioning and more options.
Video Transcript: Hi, this is Gary with MacMost.com. This is Part 6 of my course The Practical Guide to Mac Security. This course is brought to you free thanks to my Patreon supporters. Go to MacMost.com/patreon to find out more. Join us and get exclusive content and course discounts.
So Social Engineering is a technique where somebody tries to get access to your computer or accounts by using YOU. So they are not relying on a weak password or stolen password but, in fact, you are the weakness when it comes to social engineering. So it doesn't really matter if you have a strong password. It can be strong, random, unique but social engineering they can still get that from you because you've given up the password. Also, if you have two-factor authentication that can also be circumvented with social engineering. Here's one way a social engineering attack can happen.
This is also called a phishing attack. So you get a mass email. It looks legit. It's coming to you. Usually these emails say that there's some sort of problem. That somebody has tried to break into your account or somebody has ordered something or there's an issue and you need to log on. They want to create a sense of urgency. They want to throw you off your guard. There's usually a link there to click to login. So you go, click the link and you end up at what looks like a legitimate website. Maybe it's telling you to log into your Facebook account or your Amazon account or your bank's account. Don't mistake the fact that they seem to know that you have an account at a certain bank as some sort of legitimacy. They probably sent out thousands, millions of emails and just the random fact that you happen to have an account at that bank is just a coincidence. Maybe you also get some for other banks and you dismiss those easily. They're looking for quantity. They just want to send out millions of emails and be able to get a few passwords.
So you're at this webpage that looks legit. They ask you for your user ID and password. and you enter that in. What happens next doesn't matter. It may tell you that the problem is resolved. It may redirect you to the real website where it looks like you just have to login again, like maybe it didn't accept that user ID and password. It doesn't matter because at that point they've got you. As soon as you entered your user ID and password you've just sent it off to them. So they know how to get into that site.
Here's an example of an email that you may get. This one looks like it comes from Amazon and it has the Amazon logo in it. It looks very official. It looks exactly like an email you may get from Amazon. Notice how it creates a sense of urgency because it's showing you, hey your Playstation 4 Pro Consul is shipping and it's arriving tomorrow. Then it puts in an address of somebody you don't know. It's probably even a person that does not exist. It shows you it's going to cost a bunch of money and your immediate thought is, I didn't order this. This person shouldn't get this Playstation off of my credit card. So what should I do? What do I need to do? Well, there's a phone number there that, of course, is a fake phone number. There's also a link to those. You can click on those. Those are fake links and they will take you somewhere where you'll be asked to login or perhaps if you call Customer Service they may tell you that you need to give them your Amazon ID and Password or maybe the credit card number. You know you may be so upset and trying to stop this that you may give it to them not realizing, of course, that this is all fake and the whole point was to get you to call them or go to this webpage so that you could handover some of your information.
Here's another one. It seems to come from Apple. This one is a little easier to see through because it's coming from an address that's not Apple. It's got the Apple logo. It seems maybe it's legit and it's telling you that, oh somebody tried to login using your Apple ID. This may make you upset and you may want to click on where it says Apple ID.apple.com which is a legitimate place where you would go to look into something like this except that if you actually move your cursor over it you'll notice that it's not going to that website at all but to, in fact, what looks like a url redirect in India. So it could take you to a page that looks very much like Apple's site and once you enter in your Apple ID and your password then they've got you.
Now phishing attacks don't have to come as an email. They can come as a text message. They could some as a phone call and often do. People will call you and tell you that something is wrong with your computer. Something is wrong with an order for Amazon or something is wrong with your bank account. The attack is the same. It's just somebody on the phone rather than this email going out. It could even be an ad on a webpage. So you go to a webpage. It's a legitimate webpage but an ad that has slipped into the advertising network for that site says there's a problem with your computer or something like that. It pops up and it looks like it's an alert to you and you need to do something. This could even be used in the real world as a physical letter that you get in the mail. As a matter of fact often you get scams like this where there are letters that pretend to be from your insurance company or from your credit card company or from, perhaps, even your bank that ask you to contact them and it has nothing to do with your bank at all.
Now you could also use a phishing attack to get around two-factor authentication. It's a little more complex. Here's a complex way they do it. You end up at a fake site and you enter your User ID and Password. Then, of course, it's going to prompt for two-factor. Now since this is a fake site it won't know what your two-factor is. So what happens at that point is your user ID and password are sent off to the malicious individuals that are trying to steal from you and they will go to the real site and enter that user ID and password. That in turn generates two-factor code which is sent to you. So you get it. You were expecting it. Now you are still at the fake site and it asks for that two-factor code. You enter it in and all that is doing is that fake page is sending it to the same malicious individuals that you've always been in communication with at this website. They get the code and they quickly enter it in and while you have access to nothing because you're at a fake site, they have access to the real site. You could start this anyway you want. It can start with a mass email to a bunch of people and it can go through this process. It can be a phone call. All sorts of ways.
A simpler way that this can happen is say somebody already has the user ID and password for you. Maybe they've gotten it some other way. Maybe through a data breech. They go to login to your Facebook account, your Amazon account, your bank account and they are hit with a two-factor code. But in addition to the information that they have they can easily find a phone number for you. They just maybe use the name that's in your email address, look it up, find a phone number. You get a phone call. Now this phone call may not seem to come from whatever it is they're trying to break into. Say they are trying to break into your bank. They may not say that at all. They may say they're from the phone company or your insurance company or from somebody completely different saying they are just doing some sort of test and they are going to send you a code. Then sure enough your phone buzzes and you see the code there. Now they said they are going to send you a code and there's a code. But it doesn't mean that they sent you the code. What they were doing is when they said they were going to send you a code they tried to log onto your bank's site and the code was sent from your bank to you. Now, they ask you for the code. You give it to them and they can complete their log on to your bank's site.
So with social engineering you could see you're the weakness. None of this can happen unless you are actually volunteering this information. How can you prevent this from happening to you? Well, there are a variety of different ways.
First, of course, don't click on links in anything. Any emails, text messages, websites. If you get a message and you want to investigate further go directly to that site. In other words if you get a message from your bank don't click on the link in the message. Instead go to your bookmark for that bank or type the URL for that bank to go and log into your account. Disconnect what you're doing in your web browser from the message that you've got by not clicking on a link to go from one to the other.
Using a Password Manager helps as well because if you do accidentally forget this rule and click on a link you'll end up at a site that might look a lot like your bank's site but, in fact, maybe slightly different. Maybe barely different. You could read the URL a million times but not tell that there's one letter off of it. But a Password Manager wouldn't recognize the website and would say it doesn't have a password for that URL
If you get a phone call my advice is always don't answer the phone if you don't know who is calling you. If the caller ID isn't one that you recognize then there's no reason to answer the phone. If it's important they'll leave a message but most, if not all, phone calls that you get from numbers that you don't know, that you're not associated with, are going to be either spam or scams. So the best way to avoid those is just don't answer the phone. Most times phishing attempts they won't even leave a message. They want to talk to somebody live. But if they do leave a message and they give a phone number don't call back that phone number. If they identify themselves as coming from your bank or from Amazon or from whatever use the official numbers that you already have for those. Don't use the number that they tell you in the phone call or the caller ID number. Remember caller ID numbers can always be faked. So even if the number comes up as an official number for your bank on caller ID, it doesn't mean it's coming from your bank. That can easily be faked.
Also, never assume that you could detect when you're the victim of a phishing attack. A lot of people go and say, well it's easy to tell when you're seeing a phishing attack. The email has bad grammar in it or there are mistakes or your could see at the top it's not from Amazon or eBay or PayPal or whatever. Don't assume this because there's no reason that there has to be grammatical mistakes or things like that. The email can actually look absolutely perfect. You saw in that email that looked like it came from Apple how the link looked like it was actually from Apple. It was only when I moved my cursor over it that it said it wasn't. That URL could actually be made to look very close to a real Apple URL. So I think it's a mistake to always look for telltale signs of a phishing attack.
Always stick to the basic rules by not clicking on the links, by using a Password Manager, by not answering the phone, and by always going to either the website or phone number that's the official one, not the one connected to whatever message that you received. Related Subjects: Security (103 videos)
Related Video Tutorials:
The Practical Guide To Mac Security: Part 5, Security Questions ― The Practical Guide To Mac Security: Part 1, Introduction ― The Practical Guide To Mac Security: Part 2, Passwords ― The Practical Guide To Mac Security: Part 3, Password Managers