Someone can access your online accounts, delete your most personal data, and otherwise ruin your digital life without having to write a single line of code. All it takes is a little bit of public information and a healthy dollop of charisma. These are called social engineering hacks, and they’re even scarier than you might think.
The most famous example of a social engineering hack is former Wired writer Mat Honan’s epic hacking. Teenagers made their way through his Amazon, Apple, Google, and Twitter accounts, deleting his data along the way, as an act of digital vandalism.
It all started with a few phone calls to Amazon. The hackers added a fake credit card number to Honan’s account, then called again to get a temporary password by using the number to “prove” that they owned the account. That gave them the data needed to bypass the protections on his Apple, Google, and Twitter accounts.
These hacks are easy enough to carry out that performing them has become a popular game at the Def Con hacker meet-up. Here’s how you can protect yourself from these devastatingly simple attacks:
6. Stop revealing facts about your life to strangers
It’s easier than ever to learn all sorts of information about someone without meeting them. Even apps like Tinder now encourage people to share information about where they went to school or what their interests are so they can find someone to sleep with. Sorry, I meant to hang out with in a totally platonic way.
That information can be used to impersonate you. Many people base their passwords on their hobbies, answer security questions about where they live, or reveal their closest friends to anyone who views their online profiles. Lock that shit down and make sure the only people who can view that info are your friends.
5. Don’t be afraid to be rude to suspected scammers
New York University warns that social engineering hacks often rely on our innate desire to be nice. That’s why it advises its employees to be a little rude:
If you suspect someone is trying to make you the victim of a social engineering attack, stop communication with the person. If you suspect a phone caller is a hacker, hang up. If you see signs that an online chat message appears to be from an impersonator, terminate the connection. Finally, if you receive an email from a sender you do not know and trust, delete it.
Cons only work on people who are willing to listen. Instead of allowing someone to prey on our built-in urge to be social — and to be polite by extension — just remember that being rude is better than being screwed.
4. Randomly generate answers to security questions
Companies are bad about security questions. Either they’re only letting people select questions from dropdown menus or they’re using the same bullshit we’ve all seen before. Where were you born, they ask, or what was your mother’s maiden name?
The problem with all of those questions is that they’re easy for anyone to figure out. Your mom might share her maiden name on Facebook to make it easier for the dude she had a thing for in high school to find her. (Sorry.) Or clever hackers might ask you to list the answers to your security questions, as seen above, to trick you into willingly posting sensitive information you should keep private.
Randomly generate the answers to these security questions. What was your mother’s maiden name? “dP(3*dUsb4.” Who’s your best friend? “law alga whelp.” Find a way to randomize answers and record the results somewhere you can keep ‘em safe. Ta-da! Instantly more secure.
3. Seriously, just stop reusing your passwords
You’ve just thought up the best password: “Pleas3robme!” Instead of trying to recreate the feat — what password could possibly be more memorable and more secure? — you decide to use it everywhere. Netflix? “Pleas3robme!” Facebook? “Pleas3robme!” Every text field that says “password” next to it? “Pleas3robme!”
Stop it. Using the same password on multiple sites is like putting all of your eggs into one basket, cutting a large hole in the basket, and swinging it over your head. Change up your passwords so hackers who steal your Netflix login can’t sign into your Facebook account, or any other account. Just. Stop. Reusing. Passwords.
2. Remember that all your data can be used against you
If something sounds too good to be true, it probably is. Nobody’s actually going to enter you in a raffle for the iPhone 9 if you give them access to your Facebook account. You won’t have the chance to win $1,000 if you enter your name and address. Those are popular social engineering tactics.
It doesn’t matter if these scams ask for seemingly harmless information. Anything that is used to verify your identity on various platforms — where you grew up, your pet’s name, your current address — can be used to gain access to your data.
1. Use prepaid cards for your online purchases
So you’ve done everything you can to make life difficult for social engineering hacks. You use unique passwords, randomly generate answers to security questions, don’t give out personal data to everyone with an internet connection, hang up on anyone who seems suspicious, and don’t fill out online surveys. Great! But is there a single credit card linking all of your online accounts to each other?
Prepaid cards offer a safer alternative. Unfortunately, they’re also the least convenient fix to make on this list. But if you want to ensure that a credit card number can’t be used to gain access to your accounts, it’s worth looking into “burner” cards that are used for a limited number of transactions. This will add another level of variability to keep you safe.