Nowadays we pay a lot of attention to data protection. We use fingerprint identification on our phones and upper case letters and unusual symbols in our passwords. But is it enough? Hackers don’t just brute force your password anymore, they use more sophisticated ways of getting your data, namely social engineering. In order to be protected against it, you need to know what exactly it is and how it can affect your personal and professional life.
The term “social engineering” was popularized in the 90s by hacker Kevin Mitnick – although the concept, along with many of the techniques, was nothing new. Essentially, social engineering is all about gaining unauthorized access to data, systems or buildings by exploiting basic human psychology, as opposed to using technical hacking techniques or breaking in.
For example, rather than attempting to uncover a flaw in the system, a social engineer might choose to contact an employee while posing as a member of the IT department and attempt to convince them to divulge his password. Even with everything, including antivirus and firewall applications, in place to keep your data as secure as possible, a cunning social engineer has the ability to make his way around (or through) your system by deceiving the people who have access to it.
Social engineers think nothing of leveraging common human traits such as curiosity and fear. To do so, they might send out an email asking potential victims to click on a link in order to watch a video of themselves or carry out a tech support scam, telling the target that their device has been subject to a breach in order to gain access to said device. This practice is part of the umbrella term of phishing, which has spread beyond email to social media, apps and messaging services. In September of 2017, reports surfaced of emails sent to over 3,000 companies claiming to be from UPS. Supposedly offering shipping notifications, these emails invited the recipients to click on a seemingly innocent link to track a package sent to them. People who did were inadvertently installing malware in their devices, which could then be taken advantage by the criminals.
Phishing is getting more sophisticated
One way in which social media is used in phishing is through hackers and social engineers visiting sites like LinkedIn to gain intel on a company’s power structure and specific staff. This way, they can collect plenty of details that can be used in a targeted attack. In fact, once such details have been gathered, mechanically or manually, it becomes possible to personalize the attack to approach a specific person or small group of people rather than do it en masse, with random targets. This targeted type of attack is called a spear phishing attack.
Spear phishing is an advanced form of phishing where a specific individual or enterprise is being targeted through the use of what looks like insider information. For this, the attacker needs to have certain knowledge about the organization, including the way that it’s structured at the very top. One of the largest spear phishing incidents occurred in March of 2017. The Department of Justice revealed that a Lithuanian email account had acquired approximately $100 million from two tech companies.
Tech news sources including Fortune and CNET believe that Facebook and Google were the companies involved, but this information has not been made public. In the light of the perpetrator’s arrest, acting U.S. Attorney Joon H. Kim said that “This case should serve as a wake-up call to all companies – even the most sophisticated – that they too can be victims of phishing attacks by cybercriminals. ”
More advanced threats
While many social engineering attacks target individuals for the purpose of acquiring their credit card details or personal data, for instance, phishing can have devastating consequences when targeting an organization. Often, such attacks constitute attempts to gain access to the infrastructure and systems of private companies and government bodies – even at a national infrastructure level. Good-meaning employees who are not aware of best practices against social engineering can put the organization at risk without realizing so by following malicious links in emails, giving criminals who pose as IT experts their passwords and more methods. This way, the employee inadvertently enables the distribution of malware inside a closed environment or provides access to secure, confidential data.
Social engineering is continually evolving and it’s important for both executives and employees to be kept up to date on the latest tricks in addition to ensuring everyone is aware of best practices.