Why would a hacker spend the time trying to guess someone’s password when they can simply ask for it directly? That is the basic concept of social engineering (the attempt to control social behavior). Social engineering scams have been going on for years and many still fall for them every single day. This is due to the overwhelming lack of basic cybersecurity training available to the employees of today’s organizations big and small. So what basic cybersecurity should you and your employees know? While the list of social engineering types are many, there are only a few social engineering scams to know which are phishing, baiting and piggybacking. However, basic cybersecurity includes not downloading something you should not. Let’s begin with this subject and then discuss the social engineering tactics used to fool you into giving up your credentials.
The most important basic rule of cybersecurity is to be aware that downloading is how your device can be infected. So it is very important to be absolutely sure that what you are downloading is from a trusted source. Hackers try to get you to download something you shouldn’t through various tactics which we will discuss below, but just be aware that DOWNLOADING is how your device gets infected. You, a human, are the first line of defense against hackers. Hackers are trying to fool you into downloading something you should not download. Basic cybersecurity 101 is only download from trusted sources and be sure that you are on a secure trusted source web site or that the email or text is really from a trusted source. Stop and think twice, if not three times before you download.
Phishing is the leading form of social engineering attacks that are typically delivered in the form of an email, chat, web ad or website that has been designed to impersonate a trusted source or friend. For example, an email from a trusted source or known friend will be in FROM box of an email with what appears to be a legitimate message. Pretexting is a form of phishing. Phishing messages are crafted to deliver a sense of urgency or fear with the end goal of capturing an end user’s sensitive data, i.e., login credentials, etc. A phishing message might come from a bank, the government, a major corporation or your trusted friend. The call to actions vary. Some ask the end user to “verify” their login information of an account, and include a mocked-up login page complete with logos and branding to look legitimate, such as a Star Trek theme, or a Microsoft Word doc or any type attachment. Some claim the end user is the “winner” of a grand prize or lottery and request access to a bank account in which to deliver the winnings. Some ask for charitable donations (and wiring instructions) after a natural disaster or tragedy. Whatever the concern in the message it is appealing to your heart since you ‘trust’ the message and provide what the hacker has asked you for. A well known phishing scam is when a hacker creates a false sense of trust between themselves and the end user by impersonating a co-worker or a figure of authority well known to an end user in order to gain access to login information. An example of this type of scam is an email to an employee from what appears to be the head of the company or IT Support or a chat message from an investigator who claims to be performing a corporate audit. Remember the phish is you TRUST the source and delivery what is asked for. BackBlaze has ten points to consider. Think twice about trusting anyone. Confirm if the trusted source is legitimate.
Baiting, also known as quid pro quo, similar to phishing, involves offering something enticing to an end user, in exchange for something. This also appeals to the heart if the bait is enticing. The “bait” comes in many forms, both digital, such as a music or movie download on a peer-to-peer site, and physical, such as a corporate branded flash drive labeled “XYZ Company Confidential” that is left out on a desk for an end user to find. Once the bait is downloaded or used, malicious software is delivered directly into the end users system and the hacker is able to get to work. Porn sites are notorious for baiting. Baiting can also be for an exchange for a service. For example, an end user might receive a phone call from the hacker who, poses as a technology expert, offers free IT assistance or technology improvements in exchange for login credentials. Another common example is a hacker, posed as a researcher, asks for access to the company’s network as part of an experiment in exchange for $100. If an offer sounds too good to be true, it probably is a bait.
Piggybacking or Tailgating
Piggybacking (with the consent of the authorized person) or tailgating (without the consent of the authorized person) is when an unauthorized person physically follows an authorized person into a restricted corporate area or system. One tried-and-true method of piggybacking is when a hacker calls out to an employee to hold a door open for them as they’ve forgotten their RFID card. Another method involves a person asking an employee to “borrow” his or her laptop or device for a few minutes, during which the criminal is able to quickly install malicious software usually by downloading.
What Else Should You and Your Employees Know?
If you and your end employees know the main characteristics of these attacks, it’s much more likely these can be avoided in falling for social engineering attacks since they usually appeal to the heart and overrides the mind. Aside from education and awareness, there are other ways to reduce the risk of being hacked. Passwords are at the heart of security so you should educate your employees with what they should know about passwords. Employees should be instructed not to open emails or click links from unknown sources. Computers should never be shared with anyone, even for a moment. By default, all company desktops, laptops and mobile devices should automatically lock when left idle for longer than 5 minutes (or less). Set up Two Factor authentication for all your devices and services. Lastly, ensure your business is prepared to quickly recover from this kind of attack in case an employee does fall victim to one of these schemes. Humans are humans after all. By leveraging a solid backup and recovery solution, everyone can rest easy. Connectech can assist you and your team with basic cyber security. Call us for assistance.