“You want to put how much money in my bank account? Sure!” Source: DanielFoster437
What’s social engineering?
“Social engineering” means tricking people into providing credentials or granting access that they shouldn’t. Nobody’s immune to it, because you can’t patch the human brain. (Not even you, Elon Musk! Not yet!) There’s no firewall that can block all instances of someone lying to you. The closest thing is a blindfold and earplugs, and you won’t get much work done with those on.
Even smart careful people get tired, get distracted, and make mistakes. Young and old, business people or students, even security analysts and managers, we all need to be vigilant. Social engineering can trip up all of us.
Social engineering springs eternal, like a fungus
Cyber attacks have a limited shelf life. 6.9 years is the average life expectancy of a newly discovered cyber attack exploit, per a 2017 RAND corporation report. That’s how long it takes for managers to patch their systems so that attackers no longer bother using that exploit. Most organizations do better. On average, organizations patch their critical vulnerabilities in a little over a month. If you have a known vulnerability older than all the food in your fridge, it’s probably time to do something about that. Data breaches are rarer than food poisoning. But your AWS login page isn’t going to turn green or smell sour to warn you.
Social engineering is a unique threat, in that it does not have a limited shelf life. The same words notorious hacker Kevin Mitnick used to trick people into telling him their passwords in the 1980s would still work on some people today. The infamous WannaCry attack worked for about four days. WannaCry was like fresh raspberries: incredibly tempting while it lasted, which wasn’t long. Social engineering attacks are more like the military’s nonperishable rations: even if they’re 30 years old, an odd person will still eat them.
To be fair, social engineering is more of a delivery mechanism than an exploit in itself. Zero-day exploits that worked on Windows 95 do not work today. But email subject lines that got people to click in Hotmail will still get (some) people to click in Gmail. And deceptive emails can carry new exploits just as easily as ancient exploits.
Plenty of phish in the sea
Email is the most common vector for social engineering. By far the most common social engineering attack is “phishing” — email that tries to get the user to click a malicious link or attachment. 94% of malware with a known source came through email; and about 80% of social engineering attacks in data breaches were phishing, according to a 2019 Verizon report. Even with spam filters, malicious emails slip through like slimy hag fish squeezing through a net.
Classic phishing attacks prey on classic human desires. The “Nigerian prince” scams of the 2000s worked on greed. The attacker would claim to be trying to put their money somewhere safe, and offer to give the user a chunk of their vast fortunes in exchange for their bank account information. Very few people who want your bank account information want to give you money. (Even fewer are princes).
“Lonely hearts” attacks are very common. The 2000 “Love Bug” emails offered a love letter but instead delivered a virus. Much like love itself. More personalized attacks are common. If a good-looking man or woman sends you a link that they say is to pictures of them, you’d better be very sure that the link goes to an actual image hosting site if you’re going to click it. (Do not click it). Some of the most alarming and heavily covered attacks are simply aimed at unsuspecting, lonely children. The very cool kid who wants to be your friend and invites you to meet them at a park isn’t cool and isn’t a kid.
Attackers keep up with the news, and exploit people’s desire for the latest information. A whole wave of phishing attacks pretended to be breaking news on the COVID pandemic. If you get a news email from a site you don’t subscribe to, a) why would you open that? You can just check the news?, b) if you open it, don’t click the links. Oh, and an email from a site you do subscribe to might be fake — check the sender’s address for misspellings, and check whether it matches older emails that you think are from the same sender.
After phishing, the next most common social engineering attack is “pretexting.” This is where the attacker comes up with a pretext (“Hi, I’m the password inspector”) to get information from you (“please tell me your password”). This is a cliché in security training. It’s a cliché because it works way too often.
I hope your users are well-trained enough to hang up if they get a call from someone claiming to be a “password inspector.” But real-world pretexting attacks often work by imitating the way an organization normally functions.
Employees want to be helpful and keep work running smoothly. If someone who sounds like your manager calls you, hanging up and calling your manager’s number to make sure it’s them is awkward. If you’re having trouble logging in and someone claiming to be IT calls asking for your password, that sure sounds like someone trying to help you. It’s easy to forget whether that’s how IT is supposed to contact you.
Pretexting attacks are effective when the way employees work day-to-day makes the pretext sound plausible. Are your employees accustomed to casually giving each other passwords? Getting “urgent” phone calls and immediately doing whatever the caller says? Then they’re vulnerable to pretexting. A perfect process only works if users follow it perfectly! If users ignore procedure on an ordinary day, they’ll ignore procedure when security is at stake.
Attackers who are aiming for a specific company may pretend to be specific workers there. They often target new employees, who aren’t familiar with procedures yet. If Debby from Accounting sends you a request for a payment, don’t write back to Debby by replying to the email. Send her a separate email at the address you know is correct, or call her.
Healthcare providers and higher education are among the biggest targets of social engineering campaigns. They have lots of sensitive data, often poorly secured. Hospitals are especially dangerous targets for ransomware, because it could put lives at risk.
Alright, you know that you need to stay alert. What should you be looking for?
- Hover the mouse over links to see where they go. If the URL doesn’t look like it goes to the site it claims to go to, don’t click on it.
- If you get a strange phone call, consider hanging up and calling the person whom the caller claims to be. Similarly, if you get a suspicious email claiming to be someone at your company, consider emailing them in a separate thread rather than replying directly to the email you received.
- Avoid opening email attachments if you aren’t certain who the sender is. Zip files and embedded macros in Microsoft Office files are common ways to hide malware.
- Read URLs and senders’ addresses carefully. Malicious sites may have obviously weird URLs, but many imitate normal sites. You might overlook that an address is something like “maiI” instead of “mail” (using an uppercase I to look like a lowercase l), or “email@example.com” instead of “firstname.lastname@example.org”.
- Don’t send sensitive data like passwords, personal information, financial information, and so on until you are extremely sure who you’re sending it to. Be suspicious when someone asks for it!
There is no software that makes it impossible to trick people. Social engineering requires social solutions. Some companies have tried to create a technical fix with remarkable projects like Lojban, zero-knowledge proofs, and fancy blockchain apps. But, since the dawn of mankind and the invention of the rock, whenever two people can communicate, one of them can try to trick the other. And one of them might fall for it. You just have to stay alert. And if you start to lose faith in humanity, watch animal rescue videos.