The art of manipulating people into giving up personal or sensitive information is known as Social Engineering. Social engineers are ruthless and innovative criminals who take advantage of human behavior to gain access to data, networks or infiltrate businesses; because it is often ‘easier to exploit an individual’s penchant to trust than discovering new methods to hack’ your systems.
The weakest link in the security chain of any organization is its employee’s. The weakness stems from the lack of training and awareness of social engineering methods. Organizations need to become versed on the threats posed by social engineers as employees from C-level executives to the mail room can and will be targeted, and some will fall victim; introducing risk into the organization.
The techniques used by social engineering criminals range broadly, from phishing emails that trick users into opening an attachment that includes dangerous payloads, showing up as delivery people, tech support, or job applicants, to physically access data centers including- ISOC’s and SOC’s. Worse yet, the social engineering criminal rings which resort to strong-arm tactics, ransom, and threats. Whatever the method of strategy the social engineer uses, they all play on our emotions motivated by curiosity, fear or greed.
There are thousands of variations of attacks used by social engineers. The only limit to the number of exploits is the criminal’s imagination. Often one victim can experience multiple forms of exploits wrapped up in a single attack. Nevertheless, when they get all they can from the individual, it is not over, more than likely their information is sold, and shortly new criminals are exercising innovative exploits against the same individual, their contacts, and their contacts’ contacts; resulting in an interminable cycle.
Start building your social engineering smarts.
People, it is 2017, offers of ‘free money’ including winnings from foreign lotteries, a previously unknown wealthy relative who wants to leave you billions or requests to transfer funds from a foreign entity for a share of the money. All are guaranteed to be a scam. Don’t fall for it.
If it is out of the ordinary to receive an email from a friend, co-worker, your boss or your bosses boss that includes ‘links or attachments’ make a phone call before clicking on the potentially malicious attachments. The social engineer’s goal is to take control of an email account, then your social media, and all your friends and friends’ friends. All they need to accomplish this is for the recipient to click on that attachment. Don’t do it. Call and verify.
A phisher will send e-mails, instant messages (IMs), or text messages that seem to come from a legitimate organization such as your bank that requires you to ‘verify’ your personal information. Often the messages include an impending doom warning of what will happen if you fail to act ‘now.’ Criminals play on your emotions, whether it is a familiar bank, or a co-workers name they utilize urgency and panic to get you to ‘respond first and think later.’ Stop and think before acting.
Ransomware is malware which kidnaps your critical data, encrypts it and holds it for payment in return for the decryption key. Ransomware spreads through phishing e-mail attachments, infected programs, and compromised websites. No organization is immune from healthcare to critical infrastructure. Once the computer or network becomes infected, there is no option other than paying the ransom. There are no guarantees the criminals will not kidnap your data again nor is there any guarantee that the data will be released. Don’t click on links and or attachments in unsolicited emails. Look up sites you are unsure of on Malware Domain List before visiting them.
Vishing is a phone scam usually carried out through robocalling. These criminals are intent on stealing account numbers and passwords. The criminals are prepared with a convincing phone number which appears as if it is coming from your bank; the victim is then persuaded that their account(s) have been endangered and have to act quickly – panic often leads people into acting without thinking. The balances are transferred, and the criminals move on. Remember, banks, and financial institutions will never contact you to ‘verify’ your personal information.
Social engineers recognize that if you dangle something people want like free music, free movies or the hottest game in town for free, someone will eventually take the bait. Once the bait is taken, the individual’s computer is now corrupted with malicious software that often can lead to countless continued exploits. Often the victim loses their money without receiving their purchased item(s), and, if they used a checking account, they may find that their bank account(s) have been emptied. Free is good, but it’s never actually free.
Social engineers want you to act first and think later. Never let their actions influence your careful review of the situation.
- Be suspicious of all unsolicited messages.
- Never open a link or attachment without verifying first.
- Delete all requests for passwords or personal information.
- Block all Automated calls.
- Register on the Do Not Call List (1-888-382-1222)
- Never answer a call from a Blocked number
Cybersecurity is a shared responsibility. Stop. Think. Connect.