Social Engineering – what is it, anyway?
Commonly known as ‘HUMAN HACKING’ Social Engineering is becoming the preferred method of attack for hackers. It’s defined as is the use of deception to manipulate individuals into divulging confidential or personal information that may be used for fraudulent purposes. In other words, it means hackers go after the human element of breaking into your system instead of the tech way. Essentially, they try to get the user to do or click on something rather than the computer. Read along to learn what they do and how best to protect yourself from social engineers.
These social engineers aren’t just hackers – they’re CON-ARTISTS! They study human behavior because they know that in many cases humans can be the weaker link. It has gotten a lot easier to take advantage of human nature/proclivities, social norms, etc. through deception and manipulation as opposed to going through highly technical aspects of hacking to get into a system.
Think of it like a burglar gaining entry by asking someone to hold the door using the excuse that they forgot their key/key card or badge, or when a tailgate to a restricted place is up for a vehicle to pass, they ease right behind them and BOOM! They’re in. So, DON’T HOLD THE DOOR for anyone!
Common forms of Social Engineering
Phishing: How to protect yourself from this form of social engineering
The most common forms of Social Engineering take place through email, phone call, and in person. Most of you have heard of Phishing, but do you know what it is? Phishing is email that looks like it’s from a legitimate entity crafted for the purposed of tricking users to divulge personal information such as credit card numbers, usernames and passwords, or other sensitive information. They can be tricky because most of the time they look like they are from a company you know or trust, like your bank or social networking service, credit card company, etc. The email usually tells a story to trick you to click on something and they may:
- say they’ve noticed some suspicious activity or log-in attempts
- claim there’s a problem with your account or your payment information
- say you must confirm some personal information
- include a fake invoice
- want you to click on a link to make a payment
- say you’re eligible to register for a government refund
- offer a coupon for free stuff
Here is one example of a real-life phishing attempt:
In all reality, this looks completely legitimate, and the social engineers know this. They have spent hours and hours researching and training and they can blast out these emails to thousands of people and if they get just 1% to fall for it, that’s hundreds of accounts they gained access to.
Spear Phishing: How to protect yourself from this form of social engineering
Another more dangerous kind of phishing is called Spear Phishing. This is like generic phishing, except the social engineers target specific individuals. They will research you to learn things about you that make it even harder to determine legitimacy. Their emails can be made so specific that they appear to come from a friend or family member… or even your BOSS!
Unfortunately, you are likely going to experience one or both types of phishing – they want you to make just one mistake which will lead you to hold the door open. Even here at The Tech Frood, we receive these phishing emails – almost daily! Social engineers launch thousands of phishing attacks like these every day — and they’re often successful. The FBI’s Internet Crime Complaint Center reported that people lost $57 million to phishing schemes in one year!
A quick way to protect yourself and still check out the legitimacy of the email is to go directly to the site of the sender using your own browser or app and login that way – in other words DO NOT CLICK on their links! Another way to quickly check is to just ‘Hover & Discover’ by hovering over their link to see the exact URL address it will take you to. This will tell you right away if it’s secure and real.
Vishing or In Person: How to protect yourself from this form of social engineering
Another form of Social Engineering comes via physical attack, either by voice/phone call (vishing) or in person. For either of these to be successful the social engineers use their best forms of deception and manipulation to create a sense of urgency to induce panic and/or anxiety so you’ll comply easier.
When calling, they may say they are from your IT department and ask you for your username & password so they can give you an update or some other generic reason (system is crashing or you’ve been locked out). Or they may ask you to login and give them permission to look around from their end and then they can take control of your computer. Some might even trick you further by advising you to NOT give them your password to gain your trust. Instead, they may ask “What’s your mother’s maiden name?” for verification purposes. Now, they can reset your password by answering your verification question and gain access to your sensitive information.
It’s even easier for the engineers when they’re right in front of you! How many times do you see someone in uniform in your office? Did anyone check to see they were who they said they were? Our human nature doesn’t want us to make waves and typically, seeing someone in a uniform signals legitimacy and often, no one asks questions. But these days ANYONE can buy a badge or a uniform/shirt with a certain logo online and a sticker for the side of their vehicle. They can walk in and simply ask for access to your sensitive information. Don’t be afraid to ask someone to verify who they are. People that are legitimate won’t mind!
Protect yourself from social engineers!
Contact us at The Tech Frood for further assistance and remember:
- Be on the lookout (BOLO) for phishing emails – ‘hover to discover’ on links, look at URL’s, and when in doubt go directly to the site itself and login that way. Do not follow links!
- If anyone asks for sensitive information, do not give it out without verifying who they are!
- Don’t be afraid to challenge someone! Ask to see identification or check to see if they have been cleared to enter.
DON’T HOLD THE DOOR FOR ANYONE!