Trick or treat?
When you think of this question, you probably think of it as an innocent question that gets repeated countless times on Halloween night by excited costumed children hoping for one more sugary snack. But as IT professionals, this question gives us a fright every single day of the year. Why? Because the question of “trick or treat” is really at the heart of cyber-security for all businesses. And when even one person is tempted by an online trick, it creates a truly ghoulish situation for the entire organization. The frightening reality of online security is that is it absolutely only as good as the people who are using the network. And thanks to the use of very sophisticated social engineering techniques that persuade us that we MUST download this software RIGHT NOW (or that we must click NOW to claim that fabulous free vacation, cash prize, etc.), it’s getting more and more challenging to keep the malware threats out, even when deploying all of the most up-to-date security protocols like anti-virus, patching and firewalls. Think of it this way – you could outfit your front door with the strongest, most durable locks and deadbolts known to man. Seriously, it could be bullet-proof and be backed up by a completely state-of-the-art surveillance system. But if someone inside the house decides to open the door wide to the stranger on the doorstep, then these security measures are completely useless. Well it’s the same thing with your network, because each and every time the computer users within your business are presented with a tempting offer, or a scareware tactic that compels them to act, the network is at risk. And it only takes 1 click to infect an entire network. And perhaps the scariest thing about all of this is just how easy social engineering is making it for the hackers to stroll right through the proverbial front door – no crowbar required.
What Exactly Is Social Engineering?
ocial engineering is really nothing more than a form of persuasion; however, it is being used by hackers and cyber-criminals to influence people to take actions that are ultimately not in their best interest. And that makes it a very negative form of manipulation. Unfortunately for us, what has happened is that criminals have realized that it is often easier and more lucrative to exploit our trustworthiness or lax attitudes about security than it is to actually hack into our computers. So instead of hacking your password, it’s easier to use proven social engineering tactics to trick you into simply giving them access to what they are after. Social engineering continues to flourish because the human beings operating the computers continue to let their guards down or let curiosity get the best of them. And because the only limit to the new types of social engineering that emerge daily is the imagination of the criminals behind it, it’s not going away anytime soon.
Beware These 5 Common Social Engineering Tactics
Think the term “social engineering” sounds like some New Age-y concept or the plot of a new Hollywood thriller? Think again. Not only is social engineering real, but on a daily basis you are probably exposed to this type of manipulation over and over again. Here are some of the more common examples:
1. Email Tactics
Email from a friend that includes a link or an attachment – Email hijacking is rampant, so if you receive an email from a friend with a link that you just have to check out, be suspicious. It’s also common when emails get hijacked to receive attachments like documents, pictures, movies or music. These messages will play upon your natural trust and curiosity, so understanding the appeal is critical to avoiding the trick. Email from a friend asking for money because they are in trouble – these messages create a compelling story with a real sense of urgency. Your friend is stranded, in the hospital, been robbed, beaten, etc. and the only way for them to get home is you and your credit card.
2. Phishing Attempts
These will often be either an attempt to verify information due to a problem with a transaction, or notification that you are a winner and need to claim your prize. Often the message appears to come from a popular company (Paypal, Ebay, etc.), bank, school or major retailer and sets up a scenario that requires you to react by clicking a ink or entering personal information. Very commonly phishing emails double-down with scareware tactics, spelling out dire warnings about frozen accounts or other negative things that will happen if you don’t do this RIGHT NOW. Again, notice the sense of urgency that gets created. Earlier this year we issued an alert about a “whale phishing” attempt that was very sophisticated. Using spoofed email, it was a request that appeared to be from a trusted source within the company requesting a wire transfer. By all appearances, it was a completely legit request. And there is yet another type of phishing attempt that will prey on people’s goodness, by soliciting for a charity, a political organization or disaster relief.
It’s a manipulative use of Psychology 101, and it works. These schemes prey on the notion that offering something that people really, really want will get results. Whether it’s a hot new release or a first look at something or Hollywood gossip that you could find out first, baiting scenarios are counting on the fact that our “want” of that thing will win out.
4. Unsolicited responses to unasked questions
This tactic is one where the scammer will pretend to respond to a request for help. It works because they choose to spoof companies that millions of people use, so if you happen to use their services, chances are good that you just might have the problem that this scam purports to solve. And who doesn’t want to solve a problem for free without even asking? (Correct Answer: Not You!)
5. Social Media Hijacking
While this tactic usually begins as a result of gaining access to email or hacking a weak password, it extends to taking over someone’s social media profile and then using it to message your social contacts with links – essentially turning your social profile into the cover for the social engineering scam.
So What Can You Do to Avoid Falling Prey to Social Engineering Tricks?
The best counter is education and awareness. With cyber-risks only continuing to increase, the best overall course of action is to always be suspicious and verify. Train yourself and your staff to ask “is this a trick or a treat?” (or to take the Halloween spin out of it…ask “Do I trust this?”) every single time they are presented with an unsolicited email from an unknown source, or a link that seems too good to be true (it is!), or a message that creates an extreme sense of urgency. “This” can be a link, a person, an offer, or even a text message or phone call. With the sophistication of hackers today, attempts to install malware, steal our passwords, and access our credit card or banking information come in all shapes and sizes. Truly one of the simplest ways to guard against these tactics is to always verify anything directly with the source. Got an email from a friend asking you to wire her money because she is stuck in a foreign country? Give her a call and see how she’s doing. Chances are she’s sitting at her desk just like you are, but even if she’s not chances are slim to none that she is being held hostage and the only way for her to be set free is you handing over your credit card information. Emails from friends that include files are somewhat trickier to avoid, particularly if it’s a friend who sometimes sends you attachments. The best bet is to pay close attention to the email itself, and if you weren’t expecting something from them, best not to open it just yet – verify it directly with the friend instead. If something seems off about the message or the communication style, best to not open that attachment at all. The same logic applies to downloads. You might need to update to the newest OS or download anti-virus software or that great new security app. But don’t attempt to do so from an unfamiliar link – especially if it comes in the form of an urgent message implying that your computer will implode at any minute if you don’t CLICK NOW. Instead, close and delete that message and calmly proceed (at your convenience) directly to the trusted source of the download, app or update that you need. And while it’s incredibly tempting in our increasingly social online world, avoid putting every detail of your private life online. The less private information you make public, the more difficult it is for someone to pretend to be you.
Tips for Avoiding Social Engineering Tricks
You can avoid becoming a victim by staying vigilant and following these recommendations all the time:
- Stay in control of where you land on the Internet. Don’t follow unknown or unsolicited links to get to the information, even if it’s something you want or need. Instead, go directly to the link yourself.
- Be suspicious of all unsolicited messages, especially if they imply an extreme sense of urgency about something. Take a few minutes to research and/or verify the information yourself by placing a phone call to the supposed sender or looking it up online via trusted sources.
- Reject unsolicited offers of help. Again, take control and if you want or need assistance from a company, it should always come at your request.
- To donate money to an organization, find it on your own and verify that it is legitimate before proceeding with a donation. Always be suspicious of solicitation messages you receive from any organization that you have never donated to or worked with before.
Finally, here are some absolutes when it comes to recognizing social engineering tactics.
- Foreign offers are always fake. If it’s from a foreign country and will make you rich, it’s a scam.
- If it sounds too good to be true, it is.
- Any message that you receive that is asking you to reply to it with personal information is a scam. Your bank, credit cards, mortgage holder, etc. will never ask you to send them financial information or passwords – they already have that information.
- Think before you click. Scammers are banking on the fact that you will react emotionally and think later. Be suspicious of messages that have a very high sense of urgency and definitely don’t let that urgency dictate your reaction.
And don’t forget that the only foolproof protection against a malware infection is sound, regular data backups! If you aren’t backing up your data or don’t know if your data backups are working correctly, make that a priority for your business today. Corsica Tech provides fully managed IT solutions for thousands of systems, including providing the latest technology in anti-virus, firewalls and patching solutions. All of our managed service customers benefit from our 24/7 monitoring, maintenance and security services, including regular backups, patching, updates and the preventive maintenance that keeps your network running smoothly with minimal downtime.