Cyber-attacks have increased in sophistication – not only in the technology and resources available to hackers but also with the evolution of techniques like social engineering.
Just as a galvanized steel chain is only as strong as its weakest link, the security of your business is only as good as its most vulnerable elements. And for the majority of businesses, the most consistently vulnerable element in the security landscape is the human one.
Social engineering attacks are designed on this basis – and they’re meeting with considerable success. In this article, we’ll be looking at how to avoid becoming another statistic in a long line of victims of social engineering cyber-attacks.
What is Social Engineering?
Briefly stated, social engineering is the art of manipulating people into acting without thinking. It’s a technique that relies on triggering an emotional response in the victim, so that they readily divulge personal or confidential information, follow the attacker’s instructions on how to proceed next, and/or give them access to funds.
The Anatomy of Engineered Cyber-attacks
It’s human nature to react instinctively to threats, tempting offers, sympathetic appeals, and other powerful triggers of emotional response. Social engineering fraudsters and cyber-criminals know this and make it the foundation of their attack strategies.
And with the wealth of data available online – some of it public, other sources readily extracted from numerous locations – perpetrators can call upon chillingly accurate information on the past, current, and even planned activities and behavior of their victims. This enables them to craft bait and lures that have a high probability of snaring their intended targets.
Common Social Engineering Attacks and Methods
For several years now, online fraudsters have been using multiple variants on the technique of “phishing” for victims, via email. “Account verification” letters from banks, credit card centers, or finance companies, offers of irresistible content and downloads (“Open the attached file, or click on the link below”), or opportunities to make a quick fortune by transferring an advance fee to the distressed heir to billions who sent the message (The “Nigerian Prince” or 419 scam) are common examples.
With the growth in mobile and wireless networking, the contact media available to fraudsters have increased. So SMS text messaging (“smishing”), voice calls (“vishing”), advertising (“malvertising“), in-app or in-game chat, and social media channels have been added to the mix. And as victims have become (slightly) more wise to the classic ploys, more refined and sophisticated techniques have evolved, many exploiting the potential of extracted data and account profiles, to make them more relevant and better targeted.
The specifics of these social engineering attacks are as varied as the imaginations of the criminals. But certain general types of attack are routinely observed, including the following:
1) Urgent Message from a Friend or Work Colleague
Information gleaned from personal websites and social media accounts, company websites, corporate networks, and company profiles can arm fraudsters with data on the identities and recent activities of friends and work-mates. This can be used to construct urgent-sounding or enticing messages prompting the recipient to take some immediate action (wire over some funds, provide an account password, etc.) in order to complete a vital transaction, or simply to get the person allegedly sending the message out of a jam.
Of course, once the funds are transferred, they’ll never be seen or heard of again. And any information provided to the sender may be used to infiltrate corporate networks, take over personal accounts, or as a tool in building personality profiles for identity theft and fraud.
2) Tax Rebate or Demand from the IRS
Threatening emails demanding immediate payment of funds owed to the regional tax authorities, or messages asking for personal identification (Social Security number, phone number, street address, etc.) to enable payment of the whopping tax refund the recipient is supposedly due to receive, are another common tactic.
Messages will often contain file attachments booby-trapped with malware, or links to bogus websites (constructed to look eerily similar to the official site of the IRS, or whatever authority is concerned), where spyware or other malicious software may be offloaded onto the victim. Variants of this technique may involve the police, FBI, criminal courts, or other high-powered organizations.
3) You’ve Won a Prize!!
Money, goods, or digital content may be dangled as a lure to get message recipients to click on booby-trapped links, visit malicious websites, or simply give out their names, addresses, and personal account details to enable them to collect their winnings. Nine times out of ten, the victim won’t remember actually entering the competition or joining the mailing list – but the opportunity will be too good to pass up.
If the attacker has gathered information about the intended victim’s shopping habits, tastes, or general browsing patterns, this empowers them to create messages that seem to come from organizations that the recipient has had dealings with in the past, or would be likely to, in the future.
There are several measures you can take to minimize your vulnerability to social engineering attacks, which we’ll consider in a moment.
For corporate users, each of these recommendations should be included as part of a regularly updated program of security awareness training and a general culture of security consciousness within the enterprise.
Strong password protocols aside (eight or more characters, a mix of numbers, letters, and symbols, changed regularly), safe storage of passwords and not using the same password (or easily guessable variants thereof) for multiple accounts will go a long way toward preventing hackers from cracking your credentials.
But if you just give them out willingly at the first hint of a bogus communication from your friends, colleagues, or some high-profile organization, there’s little hope of protecting yourself against social engineering attacks. So the best form of password protection has to be your own unwillingness to part with it.
Total disclosure and a lack of discretion on social media can provide fraudsters with a treasure trove of information on your background, beliefs, activities, location, contacts, and interests. These can be used to create all manner of social engineering ploys, which will be all the more believable because they draw on information that you have unwittingly provided.
So if you want to reduce your vulnerability to social engineering attacks, choosing your words carefully, limiting how much about yourself you actually reveal, and not allowing your movements to be traced on social media and the web, in general, are good strategies to adopt.
In practical terms, this means:
- Clearing your browsing history on a frequent and regular basis.
- Logging out of websites and services when you finish using them.
- Not revealing every little detail about your life, in your social media and other account profiles.
- Not sounding off about every little event of your day or every thought and opinion that you have on everything.
- Turning off check-ins, location tracking, and other such features when browsing and on social media.
Phone calls and messages making unusual requests or unreasonable demands on behalf of known individuals or organizations should be able to withstand the close scrutiny of verification.
Your first step in due diligence should be to check out the source of the original communication. Does the email address or phone number actually belong to the person or agency it claims to come from? In most email applications, you can discover the underlying address of the sender by hovering over their name in the “From:” window – though it should be noted that sophisticated fraudsters can use spoofing techniques to make their origin addresses seem more genuine.
An independent search of the web, business directories, and other resources can reveal the list of true websites, email addresses, and phone numbers of registered individuals and business entities – as well as their physical locations. You can use these to verify whether a communication claiming to come from them was actually sent. After all, if they are who they claim to be, they should easily be able to reach you – and you should be able to reach them – using other forms of communication.
Voice calls can be a bit tricky as, without being able to see the caller’s face, it can be difficult to judge whether or not they’re sincere.
But if they’re threatening you with jail time or a hefty fine, you’ll have to fight the urge to hide under a table or flee the country and make independent inquiries (phone call, in-person visit, etc.) from the actual office or phone number of the organization or individual concerned.
Slowing it Down
The success of social engineering cyber-attacks depends to a large extent on forcing a rapid and unthinking reaction from the victim. Not giving in to this temptation and slowing down your response to the bait will play a major part in thwarting the attacker’s schemes.
By taking the time to think about the implications of the message you’ve just seen or heard (“How likely is it, that…?”, “Would the IRS really say that?” etc.), you’ll give yourself the opportunity to spot the likely scam. Taking some more time to run due diligence on the communication and to verify the source could put the final nail on the lid of that scam’s coffin.
Putting Security in Place
Remember also that social engineering attacks can easily originate on the ground. Attackers using phony credentials (service engineer, pizza delivery, etc.) have been known to infiltrate corporate premises to do physical reconnaissance, plant malware-laden flash drives, or simply to get a feel for how things are done and what kind of language is typically used in a target environment.
So access controls, authentication procedures, and physical security barriers can provide a level of protection. Similarly, installing and running up to date anti-malware and security software, spam and email or messaging filters can extend this protection to the digital plane.
Finally, a reliance on plain old common sense will provide a line of defense against social engineering attacks. “If it sounds too good to be true, it probably is” should become a watchword for you, together with “If it’s really as bad as all that, they’d send a red letter, then an official over to your house.”
Trusting your (suspicious) instincts, and having an idea of what’s actually standard practice for big scary organizations (Hint: They don’t usually contact you by email or SMS) will also help in reducing your vulnerability to social engineering cyber-attacks.
Share this Post