How hackers use Social Engineering.
It’s Monday morning.
You just made it to your desk. As you’re taking the first sip of coffee, you start scrolling through your emails. Google sent you an email saying you need to reset your password.
You click the link in the email. You’re taken to a page looking like a login for Google. You put in your email and password.
The hacker got you and you didn’t even know.
Your company knows you’re the biggest vulnerability to the company. They have a team of pros looking out for these social attacks. One sign-in to the wrong website could cost the company millions of dollars and bad press.
It can be prevented so let’s help save you from embarrassment.
Why am I so dangerous to my company?
You (people) are the easiest thing to infiltrate in a company network. People can give away important information without even knowing. This can be through email or even on the phone. A good hacker can get an unsuspecting victim to give them what they need.
What is social engineering?
Social engineering is when hackers use human weaknesses to obtain information and access systems. Through deceit, the information is obtained from emails, customer service lines, phone calls, or text messages.
How does social engineering work?
There are multiple ways the hacker can use social engineering to hack your or your company.
Let’s go through the different types.
Phishing is the attack you’re most familiar with. You receive an email with a link to click. The link will have a form to fill out. You fill out the form and the hacker receives the information you input. This is more of a random attack. The goal is to lure you in to give personal information.
Spear phishing is similar to phishing. The difference is spear phishing is targeting the person who is being attacked. These attacks are more difficult to pull off. The attacker needs to use someone the person is familiar with. A good example would be a fake email looking like an email from an IT department. The email would ask you to change your password using the provided link.
Baiting uses a fake promise to get someone to be greedy or curious. This can be something physical or virtual.
One example could be a flash drive left in public with a label on it saying, “Company taxes”. Someone takes this flash drive and plugs it into their computer. The flash drive then installs malware so the attacker has access to their computer.
A second example could be a question game on Facebook. The game asks personal questions about you. Questions could be “Where did you meet your spouse?”, “What’s your favorite color?”. Notice these are typical questions you would use to reset your password.
Pretexting is an attack where the attacker obtains information through a series of lies. The attacker will act like they are someone else. The attacker could act like they are police to try to get information. Another way would be to call a customer service line and act like they are you. They could try to obtain information from 1 customer service rep and then call a different customer service line. When they call the 2nd customer service line they use the information from the first customer service rep to gain access to your account with the 2nd company.
Scareware is a scare tactic to get you to take immediate action and install some software. These are the pop-ups you’ve seen saying you have 1000s of viruses installed on your system. The result is installing malware on your system. This install can give attackers access to your system and everything you do.
What can I do to help prevent an attack?
Only open emails from familiar companies or people
Make sure you’re not filling out forms on websites from email links
Report suspicious emails to your IT department
Keep your personal information to yourself
Stay away from suspicious websites
Don’t give information to anyone who calls you. Instead, call their company back through phone numbers you know are associated with the company.
Use 2FA (2-factor authentication) when possible
Be aware before falling for tempting offers
Keep your software up to date (especially anti-virus and anti-malware)
Read more about a real-life social engineering hack to obtain a Twitter user name. The hacker told the victim how he completed the hack.