Social Engineering: Why Cybersecurity is an Issue for Everyone

“You want to put how much money in my bank account? Sure!” Source: DanielFoster437

What’s social engineering?

Even smart careful people get tired, get distracted, and make mistakes. Young and old, business people or students, even security analysts and managers, we all need to be vigilant. Social engineering can trip up all of us.

Social engineering springs eternal, like a fungus

Social engineering is a unique threat, in that it does not have a limited shelf life. The same words notorious hacker Kevin Mitnick used to trick people into telling him their passwords in the 1980s would still work on some people today. The infamous WannaCry attack worked for about four days. WannaCry was like fresh raspberries: incredibly tempting while it lasted, which wasn’t long. Social engineering attacks are more like the military’s nonperishable rations: even if they’re 30 years old, an odd person will still eat them.

To be fair, social engineering is more of a delivery mechanism than an exploit in itself. Zero-day exploits that worked on Windows 95 do not work today. But email subject lines that got people to click in Hotmail will still get (some) people to click in Gmail. And deceptive emails can carry new exploits just as easily as ancient exploits.

Plenty of phish in the sea

Classic phishing attacks prey on classic human desires. The “Nigerian prince” scams of the 2000s worked on greed. The attacker would claim to be trying to put their money somewhere safe, and offer to give the user a chunk of their vast fortunes in exchange for their bank account information. Very few people who want your bank account information want to give you money. (Even fewer are princes).

“Lonely hearts” attacks are very common. The 2000 “Love Bug” emails offered a love letter but instead delivered a virus. Much like love itself. More personalized attacks are common. If a good-looking man or woman sends you a link that they say is to pictures of them, you’d better be very sure that the link goes to an actual image hosting site if you’re going to click it. (Do not click it). Some of the most alarming and heavily covered attacks are simply aimed at unsuspecting, lonely children. The very cool kid who wants to be your friend and invites you to meet them at a park isn’t cool and isn’t a kid.

Attackers keep up with the news, and exploit people’s desire for the latest information. A whole wave of phishing attacks pretended to be breaking news on the COVID pandemic. If you get a news email from a site you don’t subscribe to, a) why would you open that? You can just check the news?, b) if you open it, don’t click the links. Oh, and an email from a site you do subscribe to might be fake — check the sender’s address for misspellings, and check whether it matches older emails that you think are from the same sender.

Password inspectors

I hope your users are well-trained enough to hang up if they get a call from someone claiming to be a “password inspector.” But real-world pretexting attacks often work by imitating the way an organization normally functions.

Employees want to be helpful and keep work running smoothly. If someone who sounds like your manager calls you, hanging up and calling your manager’s number to make sure it’s them is awkward. If you’re having trouble logging in and someone claiming to be IT calls asking for your password, that sure sounds like someone trying to help you. It’s easy to forget whether that’s how IT is supposed to contact you.

Pretexting attacks are effective when the way employees work day-to-day makes the pretext sound plausible. Are your employees accustomed to casually giving each other passwords? Getting “urgent” phone calls and immediately doing whatever the caller says? Then they’re vulnerable to pretexting. A perfect process only works if users follow it perfectly! If users ignore procedure on an ordinary day, they’ll ignore procedure when security is at stake.

Soft targets

Healthcare providers and higher education are among the biggest targets of social engineering campaigns. They have lots of sensitive data, often poorly secured. Hospitals are especially dangerous targets for ransomware, because it could put lives at risk.

Self-defense

  • Hover the mouse over links to see where they go. If the URL doesn’t look like it goes to the site it claims to go to, don’t click on it.
  • If you get a strange phone call, consider hanging up and calling the person whom the caller claims to be. Similarly, if you get a suspicious email claiming to be someone at your company, consider emailing them in a separate thread rather than replying directly to the email you received.
  • Avoid opening email attachments if you aren’t certain who the sender is. Zip files and embedded macros in Microsoft Office files are common ways to hide malware.
  • Read URLs and senders’ addresses carefully. Malicious sites may have obviously weird URLs, but many imitate normal sites. You might overlook that an address is something like “maiI” instead of “mail” (using an uppercase I to look like a lowercase l), or “bob@yourcompany.net” instead of “bob@yourcompany.org”.
  • Don’t send sensitive data like passwords, personal information, financial information, and so on until you are extremely sure who you’re sending it to. Be suspicious when someone asks for it!

There is no software that makes it impossible to trick people. Social engineering requires social solutions. Some companies have tried to create a technical fix with remarkable projects like Lojban, zero-knowledge proofs, and fancy blockchain apps. But, since the dawn of mankind and the invention of the rock, whenever two people can communicate, one of them can try to trick the other. And one of them might fall for it. You just have to stay alert. And if you start to lose faith in humanity, watch animal rescue videos.

Published by

I am a Security Risk Management Professional, one of my interests is also to help increase the number of women and BIPOC working in Cybersecurity