Social Engineering, in the context of Information Security, is the use of deception to manipulate individual for fraudulent purposes. With the rise of social media over the past several years, scammers and hackers are using psychological manipulation to receive personal or valuable information from vulnerable victims. Projections show that at least 2 billion people will use some form of social media in 2019 alone. Social engineering attacks can come in many forms and anyone could be a target, whether it be myself, an IT genius;), or the CEO of a Fortune 500 company. Here are a few examples of Social Engineering and how you can stay alert and ward off attacks now and in the future.
1. Impersonation
“Hey you! Remember me? It’s Steve Rogers from Avengers University!”
We’ve all received messages or e-mails like the quotations above. However, how do we know if we’re being targeted by a social engineering attack or if Captain America himself is really reaching out to us? This type of attack is mostly achieved by researching the background information of an unsuspecting target or by using some form of deception to obtain the information needed. A great example of this trick is when signing up for a highly confidential account – say a bank account—when you’re asked to provide answers to security questions i.e., “Where did you meet your spouse?” Many questions like this can be woven into everyday conversation without arousing suspicion in the person divulging the sensitive information.
2. Phishing
“Hi, I’m a Prince T’Challa from Wakanda and I’m leaving you 3,139,012.82 dollars behind in my will.”
Another great example of Social Engineering are these pesky e-mails we receive. Most of these end up in our spam folder, but some make their way into our inbox. It’s hard to believe that these are still around; however, the reason they’re still around is because they’re still affective.
3. Baiting (Can also be considered phishing too but in a more physical form)
*Finds Flash Drive on ground in lobby* “Oh hey, it says Iron Man Prototype Suits on it!”
Most people would see that and their eyes would light up. Could Tony Stark really be that irresponsible with his high guarded and valuable information? Odds are, more than likely not. Social engineering like this happens in important places like hospitals or banks. Hackers/Scammers load malicious software onto these flash drives and once you plug them into your computer, you completely bypass your firewall and expose yourself to whatever is on there. If you ever find a flash drive, no matter how enticing it is, destroy it, throw it away, or turn it over to whomever is in charge of handling security, whether that be your favorite IT guru or local authorities.
These are just a few examples of how social engineering works. It is always wise to stay alert, knowledgeable, vigilant and above all else, paranoid! Below are a few tips to on how to help battle against social engineering attacks.
1. Never open suspicious e-mails or attachments. You can
always report phishing e-mails to spam@uce.gov
2. Use Two-Factor or Multi-Factor Authentication when
signing up and logging into accounts. This ensures you
need two ways to verify if you are who you say you are.
3. If it sounds too good to be true, it more than likely is and
is probably a scam. Use your best judgment.
4. Always have up-to-date antivirus software and definitions.
5. Encrypt your hard drives if you have the resources to.
6. Always lock your phones, tablets, or cell phones when you
are done using them/walking away from them.
There are always threats in the world. The best way to prevent them is to stay educated. I hope these tips will help you better understand some of the vile tactics used by hackers and scammer to obtain your information.
For more information, you can always visit https://niccs.us-cert.gov/ for more tips, free reads and tutorials.
Thanks!
Mike Morfin is the Assistant Director of Information Technology at Catalyst. He has been with Catalyst for over two and half years. He has his Associates of Applied Science in Network Engineering and is working on obtaining his Bachelor’s degree in Cybersecurity and Information Assurance. He currently holds five different IT certifications including two from Cisco. Mike oversees the daily operations of the entire company’s IT infrastructure. He is committed to the security and confidentiality of both clients and staff.