In today’s technologically driven society, more and more criminals have turned to cyber crime as a means to steal information and intrude on other people’s privacy. These cyber criminals are often thought of as being computer masterminds who know all kinds of backdoors and secret channels to steal information and to get into secure systems. While this may be true for some, others have turned to social engineering techniques to accomplish the same goal.
Social engineers have become modern day con artists who exploit human interaction and the reliance on technology of others to gather sensitive information. They take advantage of people’s natural curiosity and trust in others by targeting people’s natural vanity, greed, and confidence in authority; and without even realizing it, targets are willingly handing over valuable information to these social engineers. Most of them have learned that it is far easier to manipulate someone into giving out confidential information than it is to manually retrieve the same information through conventional cyber activity.
Social Engineers utilize several different avenues to gather information. The most popular form of this is called phishing attacks. Phishing is when someone fabricates a fictitious email that tricks a person into giving out their personal information in one form or another. Some examples of this could be someone saying that the target has won something, that a relative needs help, or even appear to come from an internal source like an IT department. The sky’s the limit to what they can send to make a target want to click away!
Scareware is a tactic also used by social engineers in phishing. This attack prompts notifications to make the target think that they are infected with malware. The common goal for this tactic is to scare the target into clicking on links and/or entering in confidential information. In most of these messages, links are usually included, which are the focus. The link typically leads the target to malicious locations that can either cause harm to the target’s computer or gather information about it. Keystrokes are often recorded as well to gather any kind of credentials or sensitive information entered into the site. All in an effort to “hook” the target and trick them into doing all the work for the engineer.
Social engineers also use a tactic called vishing to obtain information. Instead of working online, they target individuals over the phone. A social engineer calls a target and impersonates someone in order to gather information. They do this by using the same kind of tricks and lures used in regular phishing; exploiting human trust and interaction in order to get what they want.
Many of these modern day con artists also exploit physical security of organizations with social engineering. One way they commonly do this is with tailgating. This is when someone follows an employee into a secure location using the unsuspecting person to open secure doors or locks for them. An example of this may be a social engineer that will dress up as a delivery person or an employee of the company then approach the door and act as if they need assistance in some way. This can include carrying something heavy, misplacing their badge, or being in a hurry. Tailgating exploits people’s natural instinct to help others.
Baiting is another popular tactic that is used. The social engineer purposely leaves a piece of hardware such as a USB drive somewhere at the target’s location. The hardware is usually left at a help desk, receptionist area, or another area that is easy to access without identification. Once in place, the social engineer simply has to wait on the employee to find the device and become curious as to what is on it. When the employee plugs the device in, the social engineer’s malicious program runs on the target’s system.
Social engineers have found all kinds of ways to enhance their chances at obtaining information from their victims. There is no true shield against them, no program to download or any kind of hardware to install to protect against them. The best defense against such attacks is proper training and awareness about such attacks. Slow down when online, and think about what you are clicking. Look out for common signs of social engineering. Hover over links with your mouse before clicking on them to see where they will take you. If the link looks suspicious, or is unusually long, it is probably a good idea not use it. Misspelled words and improper grammar are also signs that the site or email is not legitimate and should not be trusted. If in doubt, do the research and see if company names or stories are legitimate. Avoid clicking shortcut links; instead, use a fresh browser to access the new site. Never trust foreign offers, lottery, sweepstakes, or money from unknown relatives, these are likely to be scams to gather your information to use against you. Set the spam filter to “high” and install antivirus, firewalls, and email filters and keep them updated. Ask about unfamiliar people at your employment, and question them if they are seeking access to restricted areas. Ask them to show identification if a company ID is issued. Never trust unknown devices, and if found turn them into the proper channels.
And when in doubt, always check with a supervisor. Social engineers can be a dangerous threat to any organization, and the best tool against them is a properly trained staff.