The majority of people are mindful of security terms such as malware and phishing, but do you know those are a part of a much larger scheme called social engineering? This is not a new type of deception. It’s actually been utilized for numerous years to sway a wide range of people into giving up critical data about themselves or the workplace. One of the best examples of social engineering goes way back to the Greek mythology days with the Trojan horse (I know you remember the story from grade school). They penetrated the city of Troy with a “peace offering” filled with soldiers, thus winning the war. ‘
Now with technology at the front of our daily lives, social engineering has entered a new era. Meaning physical human interaction is not necessarily required anymore. These cybercriminals can gain information through emails and public Wi-Fi networks, to just name a couple. And the main objective is to influence, manipulate or trick users into giving up privileged information or access within an organization. They are doing this right under your nose, and if you are not paying attention you will be a victim of this as well.
External Threats for Social Engineering
Now with technology at the head of most businesses, peripheral threats are becoming the standard for social engineers. Cybercriminals can hack into core business processes by manipulating people through technological means. There are a lot of methods for social engineers to trick people. That is why it’s best to ensure you are well versed in some of the ways they can hack your system which we will cover now.
First, baiting can be done whether in person or online. For example, physical baiting could be a hacker placing a thumb drive somewhere at a business, then an employee picks it up and plugs it into a computer. Could be just nosiness, or simply thinking a colleague left something behind. Nevertheless, as soon as the thumb drive gets plugged in, it will contaminate your computer with malware. On the other hand, the online version of this could be an enticing ad, something to pique interest. Things like “Congrats, you’ve won!” There’s also scareware, where users are misled to think their computer is infected with malware, saying things like “Your system has been infected, click here to start virus protection.” By clicking on it, you unintentionally downloaded malware to your computer. If you’re aware of what you are looking for, you can generally avoid these situations.
Phishing is one of the most popular social engineering attacks. Relatively widespread, this usually comes in the form of an email. Often, they will ask users to change their email addresses, or sign-in to check on a policy violation. Usually, the email will look legitimate and even take you to a site that looks almost identical to the one you may be used to. Following that, any info you enter in will be transferred to the hacker. You just fell for the oldest online hack in the book.
Like generic phishing, spear phishing is an even more targeted scam. It does consist of more time and effort for cybercriminals to pull off, but when they complete it, it’s hard to tell the distinction. They often customize their messages based on job positions, contacts and characteristics belonging to their victims to make their attack less conspicuous. This could be an email, acting as the IT guy with the same signature and even cc’s to co-workers. It looks super legitimate but as soon as you click the link, you’re permitting malware to flood your computer.
Internal Threats for Social Engineering
In the beginning, social engineering only took place in a physical setting. A hacker would perform an initial examination of a company structure. Then they will focus on certain activities so that they can gain the initial access into a building, server room or IT space. As soon as they have a “foot in the door”, finding pertinent data or planting malware becomes much easier.
Frequently, they will go into a building without an entry pass by simply acting like an employee that left it at home, this technique is known as tailgating. The only credential they need is confidence. This also includes a hacker pretending to be an IT person and tricking people into believing that to be true so they can gain access to high-security areas. This is far easier than it sounds too. Many times, people can find company shirts at your local thrift store, convey confidence and gain access without anyone second-guessing.
An additional interesting process that hackers use to scam their way into a business is by creating a hostile situation. According to PC World, people will avoid others that appear to be mad, upset or angry. So, a hacker can have a fake heated phone call and reduce the likelihood of being stopped or questioned. Human psychology can be a really tricky thing, agreed?
As you already know, the more you know about a person, the more likely you are going to gain the information you need about them. This involves everything from monitoring the workspace, scoping out parking lots, and even dumpster diving. Nobody is secure anymore and your life is not always as protected as you’d like to think. Something as innocent as a past bill can be used to gather more intelligence about an individual.
Like online phishing, pretexting is a widespread fraud method but for phone calls. Often, they will conceal themselves as an authority such as a tax official, bank or even police. They will probe you with inquiries that could lead to giving up info that could compromise your identity. This personal information can be used to find out a whole slew of things. Not only can they get away with your money instantly, but they can easily rob your identity with important information like social security numbers or banking information.
By being educated in all the different types of hacks, social engineering can be prevented. With the numerous ways to steal your important data, it is essential that individuals and businesses go through some sort of training regarding these issues. However, on a day to day basis, getting into certain habits can help. Firstly, make sure to pay attention to your surroundings. Remember that physical social engineering still occurs, and you don’t want to be the one that caused your business corrupted data.
Next, do not open emails or attachments from questionable sources. Moreover, if a legitimate-looking email seems slightly suspicious, go to the source, and find out for sure if they sent it. Also, multi-factor authentication can curb fraud immensely. One of the most valuable pieces of information attackers seek is user credentials. Using multifactor authentication helps ensure your account’s protection in the event of system compromise. Furthermore, if an offer seems too good to be true, it probably is. Don’t click the link, you didn’t win a cruise.
Then finally, keep your antivirus and/or antimalware software updated at all times. This is the best line of defense if for some reason your system has been compromised. For the most part, use your best judgment and common sense. Social engineers have gotten very good at their jobs. But that’s okay because you’ve gotten very good at yours too and can combat these sneaky hackers. If you need any assistance with hacker prevention, please contact us here.