with Ken May
What is social engineering?
A common misconception most people have about cyber attackers is that they use only highly advanced tools and techniques to hack into people’s computers or accounts. This is simply not true. Cyber attackers have learned that often the easiest way to steal your information, hack your accounts, or infect your systems is by simply tricking you into making a mistake.
Social engineering is a psychological attack where an attacker tricks you into doing something you should not do. The concept of social engineering is not new; it has existed for thousands of years. Think of scammers or con artists, it is the very same idea. The simplest way to understand how these attacks work and protect yourself from them is to take a look at two real-world examples. You receive a phone call from someone claiming to be from a computer support company, your ISP, or Microsoft Tech Support. The caller explains that your computer is actively scanning the Internet. They believe it is infected and have been tasked with helping you secure your computer. They then use a variety of technical terms and take you through confusing steps to convince you that your computer is infected. Once they have tricked you into believing your computer is infected, they pressure you into buying their security software or giving them remote access to your computer so they can fix it. If you give them remote access to your computer, they are going to take it over, steal your data, or use it for their bidding.
Another example is an email attack called CEO Fraud. This is when an attacker identifies the name of your boss or coworker. The attacker then crafts an email pretending to be from that person and sends the email to you. The email urgently asks you to take an action, such as conducting a wire transfer or emailing sensitive employee information. Quite often, these emails pretend there is an emergency that urgently requires you to bypass standard security procedures. What makes targeted attacks like these so dangerous is the cyber attackers do their research beforehand. In addition, security technologies like anti-virus or firewalls cannot detect or stop these attacks because there is no malware or malicious links involved.
Fortunately, stopping such attacks is simpler then you may think. If something seems suspicious or does not feel right, it may be an attack. The most common clues of a social engineering attack include:
- Someone creating a tremendous sense of urgency. They are attempting to fool you into making a mistake.
- Someone asking for information they should not have access to or should already know, such as your account numbers.
- Someone asking for your password. No legitimate organization will ever ask you for that.
- Someone pressuring you to bypass or ignore security processes or procedures you are expected to follow at work.
- Something too good to be true. For example, you are notified you won the lottery or an iPad, even though you never even entered the lottery.
- You receive an odd email from a friend or coworker containing wording that does not sound like them.
If you suspect someone is trying to trick or fool you, do not communicate with the person anymore. If the attack is work related, be sure to report it to your help desk or information security team right away. Remember, common sense is often your best defense.
Ref: SANS OUCH! | January 2017