While the term “social engineering” may not sound very threatening, this type of cyberattack is wreaking havoc on any and every exploitation they come across. The main difference between this cyberthreat and others is that the exploitation that’s being taken advantage of is people – not some unpatched software vulnerability.
So, what exactly is social engineering, and how can we avoid becoming a victim?
The phrase “social engineering” refers to a wide range of malevolent behaviors carried out through human relationships – think human hacking – and these exploits have a lengthy history that predates the internet and computer. In 1925, a con artist in France used social engineering to try to sell the Eiffel Tower. Even the renowned Nigerian Prince trick has its origins in 18th-century deceptions, with the modern-day version using postal mail and fax as well.
Modern social engineering follows a similar tactic and employs psychological tricks to persuade users to make security mistakes or divulge critical information. As mentioned previously, social engineering is particularly harmful because it relies on human error rather than operating system or software flaws. Legitimate user errors are less predictable, making them more difficult to detect and prevent compared to malware-based intrusions.
The types of information these criminals seek can vary, but when you’re targeted, they’re usually trying to trick you into giving them your passwords or bank information, or into gaining access to your computer so they can secretly install malicious software that gives them access to all your saved passwords, as well as control over your computer.
Social engineering is used by criminals since it is usually easier to exploit your natural tendency to trust than it is to figure out how to hack your hardware or software. For example, convincing someone to give you their password is far easier than attempting to hack their password – unless, of course, the password is very weak.
Cybercriminals are taking advantage of how easy it is to find information on targets – and they’re using this accessibility to build false trust with their victims. If we really think about it, it’s not all that surprising – specifically because of social media. It’s a relatively easy task to find someone’s place of employment, employer websites, and other directories, as well as general information about. Things such as previous places of work, involvement in organizations, co-workers, friends, and other interests can be used in an attempt to quickly gain your trust through manipulation.
All of the material gathered by the social engineer comprises important “plot” elements that aid in the construction of a deceptive story. The engineer employs his understanding of the target to devise deception scenarios that he can utilize against the victim.
It’s all about recognizing who and what to trust when it comes to security. It’s critical to understand when and when not to take someone’s word for it, and whether the person you’re speaking with is who they claim they are.
There a several tell-tale signs of an attempted social engineering attack, but there are also other things to look out for that are not so obvious. Because social engineers are after your trust, they have ways to manipulate you into thinking they are someone they are not. This includes emails from a friend or other trust source (boss, supervisor, department head, coworker, etc.)
Social engineers who project themselves as a friend will typically have a link in the message encouraging you to look at its content. Because the source appears to be coming from a friend, you’re more likely to trust the message and, therefore, the link – which actually contains malware allowing the attacker to breach your system. It could also ask for an update on a key, confidential project your organization is currently working on, payment information for a company credit card, or some other non-business-related question.
Phishing attacks are a type of social engineering that imitates a trusted source and creates a plausible scenario for handing up login credentials or other sensitive personal information. Financial organizations, according to Webroot data, account for the great majority of impersonated businesses.
These types of messages use convincing stories or pretext, and can contain a various combination of “trigger” phrases to look out for:
Asking for immediate help: usually in relation to money
Asking you to give/donate to a charity fundraising or other cause: usually contains instructions on how to get the money to the criminal, most likely. These phishers take advantage of people’s goodwill and ask for help or support for whatever crisis, political campaign, or charity is currently on their minds.
Present a dilemma in which you must “check” your information by clicking on the presented link and filling out the form: usually contains all of the appropriate logos and content, the link location may appear to be extremely real (in fact, the criminals may have copied the exact format and content of the legitimate site). These types of phishing scams often contain a warning of what will happen if you don’t respond quickly.
IRS refund: these are phishing attacks claiming to be from the IRS that includes a ransomware attachment. Knowing that many people in America are waiting to hear from the Internal Revenue Service about delayed refunds, the attachment is a ransomware-infected Word document that encrypts the files of the unlucky end-user who opens it, as well as any associated network drives present. Another example includes messages that contain a threat, such as being arrested, if dues are not paid to IRS. They will often include an urgent message saying you must pay immediately and incorporate a link for the victim to complete the request – tricking them into becoming vulnerable and exploited.
COVID-based: Unfortunately, the pandemic has created an opening for cybercriminals to prey on people’s fears and anxieties. There have been multiple social engineering attacks related around COVID-19 and the corresponding contact tracing, test results, and government funds. The FBI has previously emphasized the very real threat of social engineering attacks requesting personal information to get a stimulus check from the government. NOTE: government agencies will never send unsolicited emails requesting personal information to send money.
Another example of a COVID-related social engineering attack includes emails alleging to be from the Centers for Disease Control and Prevention supposedly providing the latest information and updates on the virus – then using the links embedded in the email to gain access of your system.
Any email with the words “coronavirus,” “New Confirmed Cases in Your City,” or “COVID-19” in the title should be treated with caution and ignored or discarded. Most of these e-mails also include a call to action, urging the victim to visit a website where malicious cyber criminals can steal valuable information like usernames and passwords.
Notice to appear in court: these present themselves as coming from a law firm claiming that you have an upcoming court appearance and should click a link to receive a copy of the court notice. If you click on the link, malware will be downloaded and installed on your computer.
Notifications that you’ve been chosen as a ‘winner’: Notify you that you’ve been chosen as a ‘winner.’ Perhaps the email alleges to be from a lottery, a deceased family, or the millionth person to visit their website, and so on. You may be asked to prove who you are, including your social security number, in order for them to give you your ‘winnings.’ You may also be asked to provide information about your bank routing so they know how to send it to you, or you may be asked to provide information about your bank, so they know how to send it to you. These are the ‘greed phishes,’ in which consumers want what is being provided and fall for it by handing out their personal information, just to have their bank account drained and their identity stolen.
Responses to questions you never asked: Criminals may imitate a company’s response to your request for assistance,’ while also offering additional assistance. They choose businesses that are used by millions of people, such as a software company or a bank. If you don’t use the product or service, you’ll probably disregard the email, phone contact, or message; however, if you do, there’s a good chance you’ll answer because you’re presumably looking for assistance with a problem.
Baiting scenarios: These social engineering strategies understand that if you dangle something people want, a large number of individuals will bite. These schemes are common on Peer-to-Peer networks that offer a download of something trendy, such as a new movie or music. However, the schemes can also be found on social media sites, rogue websites discovered through search results, and so forth. People who fall for the trap risk being infected with malicious software that can produce a slew of new exploits against themselves and their connections, losing money without obtaining the thing they ordered, and finding their bank account empty if they paid with a check.
A good example of this is receiving a Facebook, or other social media, message from a friend saying something along the lines of, “No way! Is this you?! [LINK]” with link embedded in the message in an attempt to bait you into clicking on this malicious scam.
To carry out schemes and lure victims into their traps, social engineers use human emotions such as curiosity and anxiety. As a result, be cautious if you receive an alarming email, are enticed by a website’s offer, or come across random digital media sitting around. Being vigilant can help you avoid the majority of social engineering tactics that take place online.
Slow Down: Social engineers tend to instill a sense of urgency in their targets so that they rush to action and ignore potential red indicators that they are dealing with a scammer. Before doing anything, take your time and examine the matter with a clear mind. If the deal is real, the other party will be understanding while you conduct your due diligence.
Take Time to Verify Identities and Links: If you receive an odd or uncommon request from a boss, co-worker, or even a friend, take the time to validate that request via other means. For example, if you received the request via email, maybe call or text them to confirm. You should also do that if you receive a suspicious link from someone. It’s possible that a shortened link, such as a bit.ly link, is hiding a malicious URL. If you’re not able to validate with that person, you can use a link expander to test the link without clicking it. DuckDuckGo, a search engine, features a built-in link expander, so you can see what’s behind that short URL.
Obtain Email Protection Software: Email protection software will scan mail arriving in your inbox for signs of virus, malicious intent, and impersonation attempts, and will filter them out before they reach your inbox.
Enable Multi-Factor Authentication: User credentials are one of the most useful pieces of information for attackers. Multifactor authentication helps protect your account in the event that the system is hacked by requiring users to give two or more verification factors in order to access their account.
Education: To avoid social engineering attacks, you must raise awareness and information about the problem. Ensure that people are aware of social engineering threats so that they can take the required precautions to keep the company safe by deploying security awareness training. If you need assistance with this, take advantage of Mirazon’s security awareness training program and contact us here.
The security awareness training experience for end users is painless, and tells managers and owners a lot. Through the use of various content customizable by department, users will receive simulated attacks that attempt to bait them – just as a real cyberattack does. The training provides feedback on which end users may need more training, and on what – making future training more personalized.
As mentioned earlier, government agencies will never send unsolicited emails requesting personal information for them to send money. It’s also important to note that Microsoft, Apple, and other technology providers will never ask you for passwords, usernames, or other confidential information via email.
Social engineering is unlike any other cyberthreat out there – which is what makes it difficult to combat. Use these tips to help protect yourself and business from this human hack. If you’d like to dig deeper into the security posture of your business, there are multiple assessments we offer to help you get the full picture of your IT system’s vulnerabilities.
It’s time we accept the reality of this cyberthreat – and take proactive measures against it.