Social Engineering is really no different than any old school scam from the past, other than modern technology is the setting (for the modern attack)." - Justin Huffaker, Vice President of Strategic Technology, Datamax Inc.
Most recall the Martin Scorsese film “Catch Me if You Can,” which follows New York teen Frank Abagnale (played by Leonardo DiCaprio) posing as a Pan American World Airways pilot, a Georgia doctor and a Louisiana parish prosecutor to successfully execute million-dollar cons.
Abagnale’s ploys, while sophisticated, relied heavily on the ingrained, trusting nature of humans to carry out his elaborate schemes: Much like Social Engineering in 2018, some 60 years after Abagnale’s antics.
And while most businesses are combating their cybersecurity threats with technology like firewalls, content filters and endpoint security, the lack of employee education leaves them wide open for Social Engineering Attack.
Social Engineering is a modern-day attack vector that uses social conditioning and naivety of humans to infiltrate networks, gain access to systems and steal confidential information from organizations. Much like pre-digital, old-school swindling methods, who needs sneaky technology tricks when end users will freely give up necessary information?
“With a typical virus or ransomware, a user initiates the attack by either going to a website that is not safe, or they click on a link they shouldn’t be clicking on and that initiates the attack,” Justin Huffaker, Vice President of Strategic Technology for Datamax Inc., said. “With social engineered attacks, it might be a phone call with a spoofed number, and it might say, ’this is Microsoft, and I’m calling to notify you that there is a bug outbreak in East Texas, I’ve been charged with the Tyler area. I need to log into computer and apply a patch.’ And then you give your login information.”
Two Other Examples of a Social Engineered Attack:
- The Human equivalent of Phishing. A hacker creates a false sense of trust between themselves and the end user by impersonating a co-worker or a figure of authority well known to an end user in order to gain access to login information or other confidential data. An example? An email from your “boss” to your HR person, requesting that he or she send all the W2s of all employees, in PDF form, for them to review.
- "Closing the “Deal.” An email comes in from a hacker disguised as a legitimate client, requesting pricing for 500 hard drives, 200 memory sticks ASAP. Attached is A PO. The sales person processes the order, ships the gear, and 30 days later the invoices goes out to an email address that no longer exists.
Best practices involve educating employees on how to identify and protect themselves against scams. Security providers offer a series of educational programs that will not only provide a training regimen, but also have a testing element of their product that sends out “fraudulent” emails to employees. When an employee clicks on these emails, they get a response saying “Oops, I got you!,” allowing managers to track those who continue to fall for the scams.
Here are 7 tips to avoid attacks like these.
1. Slow down.
Scammers want you to act first and think later. If the message conveys a sense of urgency or uses high-pressure sales tactics be skeptical; never let their urgency influence your careful review.
2. Confirm with colleagues.
Two-factor approval, much in the same vein as two-factor authentication, involves employees across departments training themselves to call a known, internal colleague to confirm that a request for information was in fact sent from that individual.
3. Research the facts.
Be suspicious of any unsolicited messages. If the email looks like it is from a company you use, do your own research. Use a search engine to go to the real company’s site, or a phone directory to find their phone number.
4. Don’t let a link be in control of where you land.
Stay in control by finding the website yourself using a search engine to be sure you land where you intend to land. Hovering over links in email will show the actual URL at the bottom, but a good fake can still steer you wrong.
5. Email hijacking is rampant.
Hackers, scammers, and social engineers taking over control of people’s email accounts (and other communication accounts) has become rampant. Once they control an email account, they prey on the trust of the person’s contacts. Even when the sender appears to be someone you know, if you aren’t expecting an email with a link or attachment check with your friend before opening links or downloading.
6. Beware of any download.
If you don’t know the sender personally AND expect a file from them, downloading anything is a mistake.
7. Foreign offers are fake.
If you receive an email from a foreign lottery or sweepstakes, money from an unknown relative, or requests to transfer funds from a foreign country for a share of the money it is guaranteed to be a scam.
“Social Engineering is really no different than any old school scam from the past, other than modern technology is the setting (for the modern attack),” Huffaker said. “People are getting more and more creative with this. It really is like phishing or like prospecting… they simply cast it out there and wait to see what happens.. They might get 10 ‘nos’ before they get a ‘yes.’”
Are your employees “conditioned” to recognize traditional, yet deceptive, tactics like these? Could you benefit from further education that goes beyond the hardware you’ve put in place? If so, let’s talk!