I’m sure by now you have heard the term ‘social engineering’ bounced back and forth but what does it actually mean?
Social engineering refers to the psychological manipulation of people in order to persuade them to perform an action or to gain information from them. In other words, people using their charm to get the information they want from you. The techniques to do this are reliant on exploiting the recipient’s trust or curiosity whether this is through sending an email from what looks to be a trustworthy source or creating a scenario in which the recipient’s help is required.
So why is social engineering used?
Social engineering techniques (which I will discuss in further detail shortly) are used as a method to gain entry into your network without having to go through the trials and tribulations of performing an actual hack. It is usually much easier to exploit people’s natural inclination of trust than it is for a criminal to force his/her way into a network. For example, it is easier to fool someone into giving you their password than it is for you to try hacking their password.
Did you ever get a ‘game’ that would claim to come up with your drag queen name (or something less wholesome) using the name of your first pet and your mother’s maiden name or first road you lived on? Well that was probably a form of social engineering.
This is why, more often than not, human error by employees or computer users being overly trustworthy rather than overly cautious puts businesses in jeopardy. Security professionals have created an interesting but effective analogy to paint this picture:
“It doesn’t matter how many locks and deadbolts are on your doors and windows, or if have guard dogs, alarm systems, floodlights, fences with barbed wire, and armed security personnel; if you trust the person at the gate who says he is the pizza delivery guy and you let him in without first checking to see if he is legitimate you are completely exposed to whatever risk he represents.”
By now you’re probably asking how it is that the ‘pizza delivery guy’ is able to get to the front gates. Well, cybercriminals use a variety of techniques to do this:
- Exploiting trust. This is commonly done by spoofing the email address of someone you know, or, if entry has been gained into a friend’s computer, the hacker will then have access to his/her contacts list and email account. Emails can then be sent from this account and, as they seem to be from a legitimate source, the recipient will most likely open them.
- Exploiting curiosity. By now, the majority of us are aware not to follow links or open attachments from an unknown sender. However, if access to a friend’s email account has been infiltrated by a hacker then urging their victims to click a link or download something becomes a whole lot easier.
- Creating scenarios. This technique also plays on a sense of urgency. A scenario is created, for example, your ‘friend’ is stuck in country X, has been robbed, beaten, and is in hospital. They need you to send money so they can get home and they tell you how to send the money to the criminal.
- Claiming you’re a winner. You may have won money from a lottery, a deceased relative or be the ‘millionth customer’ to visit a site. ‘Winners’ often want what they are offered in these so-called ‘greed phishes’ so agree to give their bank details. Unfortunately, they quickly find themselves winning no more once their bank accounts are emptied and their identities stolen.
- Responding to a question that you never asked. You may receive an email in response to a ‘request for help’ from a reputable company, though of course you never asked for help in the first place.
What can you do?
Whilst I am sure that your company has the cybersecurity measures it needs to remain secure, you and your employees need to make sure you remember to remain vigilant to social engineering tactics. If any message you receive contains a sense of urgency make sure you don’t get enticed into the criminal’s use of high-pressure sales techniques; think before you open it. Likewise, don’t get pulled into stories requesting or offering help. Legitimate companies would never contact you for either. Finally, hovering over links can show their landing pages, but as scammers are becoming more sophisticated, so are their abilities. Thus, any email you receive that seems a bit fishy probably is – trust your instincts.
Has it clicked yet? Curiosity leads to careless clicking. Ensure that your company has a cybersecurity strategy in place (if not, we are here to help) and at the same time make sure that you scrutinise each and every ‘pizza delivery guy’ before they walk through the gates of your business.