If you own a computer, cell phone, tablet, or another technology medium, odds are you have been a target for a social engineering attack. Simply put, social engineering occurs when an attacker strategically manipulates a person to give up their private information. These attackers are attempting to obtain things like social security numbers, credit card numbers, bank account passwords, etc. so they can steal your money, and in some cases your identity.
While the threat of social engineering has long preceded the invention of computers and the Internet, it is more prevalent today than ever before due to society’s growing dependence on technology.
Furthermore, social engineers are becoming more and more sophisticated with their attacks due to increased levels of network security at companies and many households. The best way to keep you and your employees safe from these attacks is to study up on the techniques social engineers are using.
What is phishing and how to spot a phishing attack
One of the most common social engineering techniques is phishing. The attacker sends an email posing as a trustworthy source, such as your bank, a shipping company you frequently use, or even someone in your contacts.
The attacker wants to gain your trust and then convince you to provide sensitive information or click a link that will infect your device. Since this type of attack is predicated on human error and deception. Everyone is at risk, we have seen in this last presidential election.
This simple attack is highly effective because these emails look extremely credible at first glance. When people are in a rush, they do not take the time to verify the validity of the email, and carelessly hand over their most valuable information to cyber criminals. However, if you take the time to read a phishing email, there are always clues to help you identify it as such.
Some common red flags are:
- They create a sense of urgency to where if you didn’t do something NOW then you or someone you love will be in trouble
- The email starts with a generic greeting like, “Dear customer,” “Hi there,” or a similar greeting that does not include your name
- The emailing party asks you to click a link that they provide
- The email domain itself looks suspicious – ex. the email is allegedly from “FedEx” but the domain includes @outlook.com, @gmail.com, etc.
- The emailing party is asking for money
- There are obvious spelling and grammatical errors within the email. If your higher mind didn’t catch the errors, your lower fight/flight mind is in control, therefore you are easier to exploit.
Phone Pretexting: Don’t fall victim to your fake bank
Cyber-criminals also frequently use a method called phone pretexting. Attackers will call you while pretending to be an organization or person that your trust in an attempt to elicit private information out of you.
They begin by asking innocuous questions such as your full name, date of birth, etc. in an attempt to build trust with you and gauge your level of suspicion to see how likely you are to cooperate.
Next, the attacker will ask you for personal information like credit card numbers, passwords, etc. This is the information they are truly after.
Finally, they will end the call with more innocuous questions to create what a Chief Hacking Officer of KnowBe4 Inc. (and former social engineer himself) Kevin Mitnick calls, “A trust sandwich.” Humans tend to remember the beginning and end of conversations, but rarely the middle. For this reason, social engineers strategically place sensitive questions in the middle of the conversation to reduce the likelihood of you remembering it later.
Throughout the call, criminals will elicit information out of you by taking guesses about your life. For example, they may say something like, “And your credit card is Visa, correct?” If you are unaware of this tactic, you will likely confirm this guess if it’s true, or correct them if it isn’t. Either way, the attacker is getting more information completely unbeknownst to you.
Do not fall victim to the “trust sandwich.” Be extremely particular about whom you give your personal information to over the phone, and never give out private information to an incoming unknown caller.
Consider this, you use Wells Fargo for your bank. One day you receive an unexpected call from someone allegedly working at Wells Fargo. They begin by asking you basic information like your name and date of birth, before asking you to verify your social security number. The red flag here is that your bank already has all of that information. So politely hang up, and call your bank if you are still unsure if it really was your bank.
Baiting: The most effective attack your company can get hit with
Perhaps the simplest attack of all is through a technique known as baiting. This attack is extremely effective because it exploits the natural curiosity of humans. Attackers will intentionally leave infected USBs, CDs, etc. in common places like a company parking lot, an elevator, the bathroom, etc. and wait for someone’s natural curiosity to kick.
If you found a USB on the floor of the elevator, what is the first thing you would do with it? Most people would plug it into their computer to find out what’s on it and to whom it belongs. These people may be well intentioned but unfortunately, their goodwill and curiosity probably just infected their computer with malware, ransomware, or perhaps something even nastier that will cost them and/or their company immensely.
Thus, as a general rule of thumb, NEVER insert unknown devices/discs into your computer. We all know that curiosity killed the cat, don’t let it be the reason your identity gets stolen or your company loses 6 months’ worth of profits.
Funny story, a few months ago we even saw this in our own office. Two MicroSD USB 2.0 sticks were hanging out in our Berkeley office kitchen. No one claimed them. No one plugged them in. We don’t take the bait here at Endsight.
How to combat social engineering
Since the threat of social engineering is not going anytime soon, how do we combat it? For starters, do not be naïve and think it cannot or will not happen to you.
When I was in college, I received a call from someone claiming to be a federal officer stationed at the local police department. He claimed that I had missed my previous two tuition payments and if I didn’t transfer $8,500 right then and there, I was going to be arrested and face a multi-year prison sentence.
He was so convincing on the phone, he knew my name, my current address, how much I was paying each semester in tuition, and he even masked his number to appear as the Maricopa County Sheriff’s Department (I was attending Arizona State at the time which is located in Maricopa County).
He almost got me. Fortunately, there were a few warning signs on the call that made me suspicious, and I had been taught by father to never give up my bank information over the phone unless I was the one calling.
That was a roller-coaster of a day for me personally, but it also made me realize two things:
- There are plenty of bad people in this world that will steal everything from you without any hesitation or regard for your well being
- It is impossible to be too safe with your information