NetworkTigers discusses the dangers of a social engineering hack.
“Social engineering” is a term that is becoming increasingly common in descriptions of hacks, data breaches, and cyberattacks.
The average person thinks of a cyberattack as a highly sophisticated, technical campaign by someone expertly skilled in coding and computer programming. This is true in some cases, especially regarding government-led cyber campaigns. However, most cybercriminals are not genius supervillains but opportunists with just enough know-how to achieve their goals.
This is where social engineering comes into play.
Social engineering explained
Social engineering is when a criminal manipulates a victim into handing over login credentials or other information that can be used to stage a cyberattack or steal data.
This can be done via text message, email, chat, or even a phone call. A criminal may also ask for the ability to use your computer remotely to provide tech support, only to install malware to commandeer your system otherwise.
A common thread among all forms of social engineering is that it usually involves one-on-one interaction with someone trying to fool you. In this way, social engineering is more about hacking people than computers.
Why is social engineering effective?
Most people wouldn’t regard themselves as gullible or easily fooled. However, the effectiveness of social engineering techniques suggests otherwise.
Much of this comes down to targeting. From overworked desk clerks eager to make a good impression when someone alleges to be a superior reach out to them to older members of the workforce who may not be up to speed on cybersecurity best practices, criminals know how to spot an easy mark.
Social engineering often takes the form of a phishing campaign. If a criminal can successfully access someone else’s email account, they can reach out to their personal or business contacts with questions regarding sensitive data.
Noteworthy examples of social engineering hacks
Google and Facebook
This scam involved hackers posing as businesses that had previously worked with Google and Facebook. The criminals emailed invoices for services that the legitimate business had provided. However, the invoice payment link instead sent money directly to the hackers. Over two years, criminals stole more than $100 million from the two companies using this technique.
The US Democratic Party
In the lead-up to the 2016 presidential election, a Russian phishing attack levied against members of the US Democratic Party resulted in the leaking of personal emails. This campaign used nothing more sophisticated than fraudulent email warning recipients of unusual activity on their account that requested that they click a link to change their password.
In the largest crypto theft thus far, North Korea’s Lazarus hacker gang made off with $620 million after tricking Axie Infinity employees with fake job offers. The scam went so far as to put victims through multiple interviews before finally offering them a position with a generous compensation package described in a PDF. However, the file contained malware that gave criminals the access they needed to steal from the company.
How to spot social engineering
Because no single technique is applied to all social engineering campaigns, it can be challenging to know when you are being targeted. However, there are some basic things to look out for:
- Links. Watch out for messages that contain a link, as these can often land you on a malicious website or result in you downloading malware.
- Videos or photos of you. Social engineering scams on social media often include a link with language that implies it will take you to an image or video of you that may be embarrassing or shocking.
- Urgency. From emails that need immediate responses to emergency requests for login data, criminals know that urgency can cause people to set aside common sense instead of a quick response.
- Sign-in requests. Some scams take the form of a message that appears to be from a legitimate source, such as Paypal. These emails may inform you that your account has been breached and that you need to enter your login credentials to change your password.
- Notifications of purchases you didn’t make. Sometimes campaigns involve emails that inform you of a purchase you never made or tell you that something you didn’t buy has shipped.
- Donation requests. Criminals may try to exploit your generosity by posing as a charity.
- Atypical communication. Most of us know how our contacts communicate. If you receive a message from a company or trustworthy person that contains unusual typos or is otherwise contrary to what you have come to expect, it is likely a scam.
- Too good to be true. Whether it’s a lucrative job offer or a contest you don’t recall entering, messages that seem too good to be true typically are.
How to prevent social engineering
- Training. One of the most effective ways to keep hackers at bay is to stay privy to how they try to take advantage of people. Employees who receive and respond to high volumes of emails, phone calls, and other correspondences are on the front lines and need to be able to recognize a suspicious inquiry or message.
- Think before you respond. Criminals love applying pressure on their victims because stress can make people throw caution to the wind. Slow down if you receive an urgent request or message before responding. Reach out to the sender using a different avenue to confirm that the message is legitimate.
- Reject and report. Emails that purport to be from companies asking for your login credentials or passwords are scams. If you receive one, inform your superiors as well as the company that is being impersonated.
- Filter spam. Spam blockers can do a decent job of stopping suspicious emails before they appear in your inbox. Make sure that you’re using one.
- Secure your system. Preventing an attack from ever being mounted is best, but antivirus software should be installed across all devices on your network. If a bad link is clicked or a malicious attachment is downloaded, an updated and robust security system might be the safety net that prevents a breach.
- Update your hardware. Network equipment with outdated firmware should be replaced if the firmware cannot be updated to manage today’s threats from taking hold. You can update your equipment with refurbished gear from a reputable dealer.