Most people have heard terms like phishing and malware. But did you know those are only part of a larger scheme called social engineering? This cyberthreat is not a new kind of fraud. It has been used for many years to manipulate a wide range of people into giving up important data about themselves or their workplace. A prime example of social engineering goes back to Greek mythology with the Trojan horse. They infiltrated the city of Troy with a “peace offering” filled with soldiers, thus winning the war. With technology at the forefront of our lives, social engineering has entered a new era. Physical human interaction is not necessarily required anymore. These criminals gain information through emails, pop-ups, and public Wi-Fi networks, to name a few. The main objective is to influence, manipulate or trick users into giving up privileged information or access within an organization. They are doing this right under your nose, and if you’re not paying attention, you might be a victim as well.
Social Engineering and External Threats
With technology at the forefront of most businesses, external threats are becoming the benchmark for social engineers. They can hack into core business processes by manipulating people through technological means. There are so many ways for social engineers to trick people. Let’s take a look at a few of the tricks hackers use to gain your information:
Social Engineering and Baiting
First of all, baiting can be done both in-person and online. Physical baiting would be a hacker leaves a thumb drive somewhere at a business, then an employee picks it up and plugs it into a computer. It could be curiosity or simply thinking a co-worker left something behind. However, as soon as the thumb drive gets plugged in, it will infect your computer with malware.
Fake Social Media baiting could be an enticing pop-up, like “Congrats, you’ve won a $50 Gift Card!” Or, you may receive scareware, which tricks users into thinking their system became infected with malware. You may see pop-ups like “Your computer is infected; click here to start virus protection.” By clicking on it, you unintentionally download malware to your computer. If you understand what you are looking for, you can usually avoid these situations.
This trick is probably one of the most popular social engineering attacks. Usually generalized, this threat usually comes in the form of an email. Often, they’ll ask the user to update their password or login to check on a policy violation. Usually, the email will look official and even take you to a site that looks almost identical to the one you may be used to visiting. After that, any information you type in will get transmitted to the hacker. You just fell for the oldest online hack in the book.
Similar to generic phishing, spear phishing is a more targeted scam. This threat typically takes a little more time and research for hackers to pull off. But when they do, it’s hard to tell the difference. They often tailor their messages based on characteristics, job positions, and contacts belonging to their victims to make their attack less conspicuous. This trick could be in the form of an email acting as the IT guy with the same signature. It will look legitimate, but as soon as you click the link, you unknowingly allow malware to flood your computer.
In the early days of the internet, social engineering took place in a physical setting. A hacker would do preliminary research on a company structure or focus on behaviors to get that initial access into a building, server room, or IT space. Once they have a “foot in the door,” so to speak, obtaining pertinent data or planting malware becomes that much easier.
Often, hackers will enter a building without an access pass by simply acting as an employee. This technique is known as tailgating. The only credential they need is confidence. This approach can also include a hacker posing as an IT person and conning people so they can gain access to high-security areas. This bold move is far easier than it sounds. Hackers might find company shirts at the local thrift store, exude confidence, and gain access.
Another process hackers will use to con their way into a business is creating a hostile situation. According to PC World, people avoid others who appear to be mad, upset, or angry. For example, a hacker can pretend to have a fake heated phone call and reduce the likelihood of being stopped or questioned. Human psychology is a tricky thing.
Of course, the more you know about someone, the more likely you will gain the information you need from them. This approach involves everything from scoping out parking lots, observing the workspace, and even dumpster diving. Nothing is safe, and your life is not always as secure as you’d like to think. Something as innocent as a telephone bill could harvest sensitive information about a person.
Similar to online phishing, pretexting is a popular fraud tactic for phone calls. Often, they will disguise themselves as an authority such as a bank, tax official, or even police. They will probe you with questions that could lead to giving up information that could compromise your identity. This personal information can lead to more discoveries about you. Not only can they get away with your money immediately, but they can easily steal your identity with social security numbers or banking information.
Social Engineering Prevention
We can limit the threat of social engineering by educating ourselves and our employees. With so many different ways to steal your important data, individuals and businesses must go through some sort of training regarding these issues. However, on a day-to-day basis, getting into certain habits can help. First of all, pay attention to your surroundings. Remember that social engineering still exists, and you don’t want to be the one that causes your business’ corrupted data. Next, do not open emails or attachments from suspicious sources. Moreover, if a legitimate-looking email seems slightly suspicious, contact the email’s sender and find out if it is really from them. Also, using multi-factor authentication can curb fraud immensely.
Furthermore, if an offer seems too good to be true, it probably is. Don’t click the link. You didn’t win a cruise. Finally, keep your antivirus and antimalware software updated at all times. This practice is the best line of defense if your system ever becomes compromised. For the most part, use your best judgment and common sense.
One of the most valuable pieces of information attackers seek is user credentials. Using multi-factor authentication helps ensure your account’s protection in the event of system compromise. Social engineers have gotten very good at their jobs, but that’s okay because we’ve gotten very good at ours and can combat these sneaky hackers. Contact us today to learn more.