Social engineering sounds like it could be the organising of your weekend calendar! It’s a whole lot more sinister than that though, and this method of cyber-attack could wind up being extremely costly to your business. Today we’re going to give you an understanding of social engineering and its risks, how to spot it and how to protect yourself from it.
Social Engineering Defined
Social engineering is a form of attack that is essentially “human hacking”. It uses techniques to manipulate and exploit people, rather than trying to find network or software vulnerabilities like standard cyber-attacks do. In fact, social engineers who know what they’re doing don’t need much in the way of technical skills. They basically just ‘trick’ people into giving them what they’re after.
An example would be a fraudster phoning you up and pretending to be a representative from your bank or other financial organisation. If your guard is down and they manage to gain your trust, they’ll try to extort your account passwords out of you. So long, life savings!
The Process of Social Engineering
Social engineering isn’t limited to just a random phone call or email. There’s an attack cycle used to motivate you into dishing out the compromising information. It looks like this:
1.The attacker researches you or your organisation, gaining as much background information as possible.
2. They initiate an interaction, attempting to build a relationship and establish trust.
3. They advance the attack and exploit you for the information they’re after.
4. They disengage, leaving as little evidence as possible.
This process can take place in a variety of ways. It could be via email, it could be through social media, it could be face-to-face or it could be through a phone call like above.
The fraudsters will be confident and they’ll be persuasive. They prey on busy people, often those in the lower tiers of an organisation who often have a higher tendency to comply with authority. They will also usually build a sense of urgency into the interaction, by creating a problem that needs attention right away or an offer that will disappear if you don’t act. This clouds your judgement and on-the-spot decision making ability.
Social engineers will also manipulate you using your emotions. Heightened emotions can cause you to make irrational decisions, so they’ll do what they can to get you to feel over excited, or guilty, or sad or angry.
An example is the ‘Hi Mum’ scam that has cost Australians over $7.2-million so far. The scammer sends a Whatsapp or text message to a number, always beginning with “Hi Mum”. They claim to have lost their phone, and then once a conversation is started they request money for such and such an emergency. It’s simple, but it works because it plays on the emotions of a parent worried about their child.
The Types of Social Engineering Attacks
Social engineering can be successful in any place that has human interaction involved. A number of techniques can be used, with some of the more popular below:
Phishing: This is the most prevalent of social engineering attacks, whereby the fraudsters send through a malicious email or message that looks like it has come from a legit source like a bank. It attempts to trick you into revealing your login details, credit card numbers, or other personal information.
Vishing: or Voice Phishing, where you get a phone call from the hacker pretending to be someone they’re not. It could also be a series of automated messages that sound so official you don’t doubt their authenticity. Trust is built, and you input your details.
Smishing: This is phishing via SMS. You get a legitimate looking message to your mobile directing you to a fraudulent website or contact number. SMS spam is becoming a huge problem in Australia, with over 77% of Australians receiving a fraudulent message.
Whaling: This targets high profile figures, such as celebrities or senior members of an organisation like the CEO or CFO.
Baiting: As the name suggests, a trap is set that lures in an unsuspecting individual by arousing their curiosity about something. This can happen online, like through an ad that doesn’t give you the free iPad it promised but instead infects your computer with a nice batch of malware. It can also happen in the physical realm, whereby the fraudster loads a USB with malware then leaves it lying around in the hope someone plugs it into their computer.
Pretexting: This is where the attacker pretends to be someone they aren’t in order to build trust. Like the fraudster phoning you up pretending to be from the bank, or the “Hi Mum” scam. They will interact with you in a confident and proactive manner, convincing you they’re legit and then exploiting your trust.
How to Protect Yourself from Social Engineering Attacks
Adopting heightened self-awareness when interacting with anybody, whether online, on the phone or in person, is the key to preventing social engineering attacks. Remember, the attacker is trying to get you to make the decision to give him your information without thinking too hard about it.
Here are a few things you can keep in mind to foil their plans:
Can the person you’re interacting with prove their identity? If they’re asking for passwords or information, this should be your first response back. Don’t give them anything until you’ve confirmed they are who they say they are.
Are you feeling strong emotional reactions? If you’re feeling scared, excited, guilty or just very curious, you’re much easier to manipulate. If an interaction has you in a heightened state of emotions, be very wary.
Does the source email, phone number or website look legitimate? Strange looking URL’s, irregular email addresses and weird attachments should all raise red flags for you.
Are you getting too much for nothing? If an offer seems too good to be true, it probably is. If someone is offering you great value for little in return, they’re trying to manipulate you into a social engineering attack.
As well as the above, we’d recommend using multi-factor authentication (MFA) to add an extra layer of security to all your account logins. Make sure your passwords are strong too – none of this ‘admin-1234’ weak password business!
Lastly, while social engineering can happen to you through physical interactions, we’d recommend being very careful of online-only friendships. It’s much harder to judge character online, and therefore easier for you to be manipulated.
Brisbane Cybersecurity Experts
If you have any questions about social engineering, or cyber security in general, get in touch with Smile IT, the Brisbane cybersecurity experts. From network assessments to email security and creating failsafe backup plans, we can help protect your systems and data. That means less stress for you, and more time to focus on big ticket items… like growing your business!
When he’s not writing tech articles or turning IT startups into established and consistent managed service providers, Peter Drummond can be found kitesurfing on the Gold Coast or hanging out with his family!