The stereotypical hacker sits in his basement, types away on his keyboard, and yells at his mom. At least, that’s what Hollywood portrays them. Reality couldn’t be more different. Most malicious hacks are done through social engineering.
Social engineering is the art of gaining access to, and exploiting human psychology. The Wall Street Journal posted a story on a man hired by Fortune 500 companies to break into their employees’ information. Why? So they know it can happen to them and to make sure it doesn’t happen again.
The best example of social engineering is the story of the Trojan War from Greek mythology. After a ten-year siege on the Trojans, the Greeks pretended to accept their defeat. They left behind an enormous wooden horse, and the Trojans opened their city gates to bring in the horse as a victory trophy. The Greeks were hiding inside, crept out at night, and destroyed the city of Troy.
No matter how expensive or advanced your defenses are, social engineering can still work its way around them. Trojan horses still exist today in the forms mentioned below:
Phishing: E-mails in Disguise
These are e-mails that look like they came from a legitimate organization or person but are usually accompanied by some sort of malicious attachment. I won’t bore you with technical details, but don’t open those attachments or bad “computer stuff” can happen.
Vishing: Voice Phishing
Calls from an organization claiming to be something other than what it really is. These people are after your personal information, such as a social security or credit card number.
Impersonation: The Con Man
People posing as someone they are not, such as an auditor, manager, or trusted third party. They’ve likely done their homework on you ahead of time.
Not only are your inboxes and phone lines being targeted, your social media sites are too.
Whether it’s selfies or cat videos, most us like to tweet, tag, link, comment, like, and post online. But how many actually consider that social media sites can act as a double-edged sword?
Platforms like Facebook and Instagram are full of information social engineers can use. Things like where you work, your daily schedule, and contact information are all accessible to scammers.
Here are a few things you can do to protect yourself from social engineers:
- Shred work documents. – Dumpster diving isn’t the most sanitary way to get information, but it’s not beyond social engineers. Documents like internal phone lists, organizational charts, employee handbooks, meeting notes, spreadsheets, and reports should all be ripped up before they’re discarded.
- Escort all your guests when they’re in the building.
- Don’t leave hardcopies on your desk. – A mere glance at your information (schedules, notes, personal info., etc.) from an outsider puts you at risk.
- Don’t open unknown emails or attachments. – Remember, bad “computer stuff.”
- Never let strangers contact you about support problems. – Don’t trust the person calling about a slow computer.
- Be aware of what information you post online. Once posted, it is public information.
- Emails are not private. – Sensitive information, including internal emails, should always be encrypted.
Finally, one of my personal pet peeves. Passwords.
Did you know the most common passwords are “password” or “123456?” I wish I was kidding. People like easy passwords, because they can remember them. But easy passwords are also easily hacked. People also like to write their passwords on sticky notes and hide them under a computer or mouse.
This is actually the easiest way for a social engineer to hack into a network, because they know everyone does it. An alternative to sticky notes would be to offer employees a platform to store their passwords, like a password keeper software.
In addition, using your birthday, mother’s or father’s name, your name, or anything else linked to your social media platforms is easy bait for a social engineer. Never use passwords that are accessible anywhere else.
Sure, remembering multiple passwords is inconvenient, but so is someone stealing your information.
Nearly three trillion password combinations are possible just by using letters and numbers in your eight-character password. Imagine how difficult you could make it for a hacker if you added a special character.
There are a lot of scams, outside of what’s mentioned here, to be aware of. Too often we rely on technology to safeguard us from hackers when we should be focusing on those most vulnerable to a social engineer’s attack, our people.
No matter how secure a building or network seems to be, social engineering shouldn’t be taken lightly. While you’re never completely secure, you are able to decrease risk. The most important thing is to make sure your employees are properly educated and trained on how to protect themselves from social engineers.
– Lamar Schadler, IT Security Specialist at Mittera