Cybercriminals know that just like operating systems, human beings also store, process, and share information. But where computers are predictable, people are not, and this is exactly the point. Fooling technology is hard. Fooling people can be easy. Our innate tendency to trust people, to trust what we know and think we know, makes us vulnerable in ways that operating systems will never be. Social engineering is the clever manipulation of this very trust.
While some social engineering scams are well documented, others are more difficult to measure. Unlike traditional forms of hacking, such as ransomware, trojans, and worms, social engineering often leaves no electronic trace. In fact, if the attack is done well you may not even realize you’ve been socially engineered, which is a scary thought. Even scarier: social engineering is sometimes used as a way in for other forms of hacking.
Often an attack begins with a simple email, chat, web ad or website with familiar logos and branding. A person who often shops for clothing online, for example, may see fake online clothing ads designed to impersonate a real website they’ve previously visited or store they’ve purchased from online. The more information a hacker knows about you, the more likely they are to craft an email, ad, or direct message that seems credible and often even enticing – a malicious link to a coupon for your favorite restaurant, an email that appears to be from your college alma matter asking for money, an apparent request from your office’s IT team asking for your password.
Be on the lookout for baiting, which involves offering something enticing or urgent like a movie download or mandatory work-related survey in exchange for private data. Once you take the bait, malicious software is delivered directly into your computer. Quid pro quo involves exchanging your data for a (fake) service. A cybercriminal pretexting may pose as a coworker, colleague, or company authority who tricks you into giving up your private data, such as an imposter company contractor giving you IT assistance and needs your login credentials. The purpose of such attacks frequently involves monetary gain, identity theft, or stealing private or company information.
Once your machine is compromised, the hacker can even pose as you, which can cause major confusion and damage within your company. Imagine emails being sent from your account to coworkers or employees, even a customer or a board member, containing false instructions or malicious links. Why would they have any reason to suspect that it wasn't you asking for an expense report, a project plan, or a list of employee contact information? The more legitimate the attacker appears, the harder the crime is to trace. This is the terrible circle of misplaced trust in social engineering: the more authentic a link, website, email, or attachment appears, the more likely you are to provide information, the more likely you are to have that information used against you, and thus, the more likely you are to fall victim to a sophisticated, authentic-seeming scam. Now the process repeats, with even greater capability than before.
Fun fact: Kim Kardashian is the most dangerous celebrity to google, with increasingly sophisticated fake links, photos, fan websites, surveys, and other forums used to obtain, at the very least, your email address, and often other identification credentials, which can then be used to target you in the future.
As our online identities expand and become more intertwined with our real lives, cybercriminals continue to innovate and develop new methods to take advantage of human trust to manipulate users. Imagine being a cybercriminal: why try to gain access to a computer system when you can go after the user instead?
Cybersecurity is a shared responsibility. People are the key to defending themselves and their organizations. That means people can be your greatest strength, or greatest weakness, in cybersecurity. Make your employees your greatest strength.
For more tips to avoid being a victim to social engineering, as well as guidance in the case of a known attack, check out the website of the U.S Computer Emergency Readiness Team (US-CERT). As you look ahead to keep your company safe, you must ensure that your technology supports your initiatives.
Celerium enhances human collaboration and machine automation to help security, incident response, and crisis management teams to collaborate and interoperate more efficiently. For more information on how our solutions can help your organization, contact us today.