Most people are aware of terms like phishing and malware, but do you know those are a part of a larger scheme called social engineering? This is not a new kind of fraud, in fact it’s been used for many years to manipulate a wide range of people into giving up important data about themselves or their workplace. Physical human interaction is not necessarily required anymore and with technology at the forefront of our lives, social engineering has entered a new era. These criminals can gain information through pop-ups, emails and public Wi-Fi networks (just to name a few). The main objective is to manipulate or trick users into giving up privileged information or access within an organization. It’s important to pay attention so that you do not become a victim.
With technology at the forefront of most businesses, external threats are becoming more prevalent. They can hack into core business processes by manipulating people through technological means. Below are some of the ways social engineers can trick employees and hack your system.
First of all, baiting can be done both in person and online. Physical baiting would be a hacker leaving a thumb drive somewhere at a physical location (office), then an employee picks it up and plugs it into a company computer. As soon as the thumb drive gets plugged in, it will infect your computer with malware. The online version of this could be an enticing ad sent to an employee. Things like “Congratulations, you’ve won!” Also, there is scareware, in which employees think their system is infected with malware. The message may say things like “Your computer is infected, click here to start virus protection.” By clicking on it, you unintentionally downloaded malware to your computer. If you and your employees understand what to look for, these situations can be avoided.
Phishing is one of the most popular social engineering attacks. They are usually sent through email. Often, they ask the user to change their email, or login to check on a policy violation. The email will look official and even take you to a site that looks almost identical to the one you may be used to. After that, any information you type and divulge will be sent to the hacker. You just fell for the oldest online hack in the book.
Spear phishing is a more targeted scam. This does take a little more time and research for hackers to pull off, but when they do it’s hard to tell the difference. They often tailor their messages to make their attack less conspicuous. This could be in the form of an email, acting as the IT guy with the same name and even cc’s to co-workers. It looks legitimate but as soon as you click the link, you are allowing malware to flood your computer.
Originally, social engineering took place in a physical setting. A hacker would do some preliminary research on a company structure or focus on behaviors in order to get that physical access into a building, server room or IT space. Once they have a “foot in the door”, obtaining confidential data or planting malware becomes that much easier.
The more you know about someone the more likely you are going to gain the information you need from them. This involves everything from scoping out parking lots, observing the workspace and even dumpster diving. Your life is not always as secure as you’d like to think. Something as innocent as a bill can be used to harvest more information about a person.
Often, they will enter a building without an access pass by simply acting like an employee that left it at home, this technique is known as tailgating. The only credential needed is confidence. This can also include a hacker posing as an IT person so they can gain access to high-security areas. This is far easier than it sounds too. You can find company shirts at your local thrift store, and gain access with confidence.
Pretexting is a popular fraud tactic for phone calls and is similar to phishing. They will disguise themselves as an authority such as a bank, or even police. They will push you with questions that could lead to giving up information that could compromise your identity and confidential information. Not only can they get away with your money right away, they can easily steal your identity with confidential and pertinent information like banking information or social security numbers.
Social engineering can be prevented by increasing awareness and education. Its imperative that individuals and businesses go through training regarding these issues and how to spot them. However, daily changes in habit can help. First of all, pay attention to your surroundings. Remember that physical social engineering still exists and you don’t want to be the one that caused your business corrupted data. Next, do not open emails or attachments from suspicious sources.
If a legitimate looking email seems slightly suspicious, go to the source and find out for sure if they sent it. Or, call your IT company to have them review it.
Multi-factor authentication can also curb fraud and help protect your information. One of the most valuable pieces of information attackers seek are user login credentials. Using multi-factor authentication helps ensure your account’s protection in the event of system compromise. If it seems too good to be true, it probably is. Don’t click the link, you didn’t win a free vacation.
Finally, keep your antivirus and antimalware software updated. This is the best line of defense if your system has been compromised. Use your best judgment and common sense. Social engineers are very good at their jobs. Let us help you get good at yours too and combat these sneaky hackers.