When most people think of hackers, they envision hooded figures hunched over keyboards in dark rooms, typing furiously in some dense, unintelligible programming language. While that sinister image might make for great T.V., it isn’t exactly an accurate depiction of reality. And although it may seem counterintuitive, the perpetuation of that image is actually great for hackers… and bad for their victims.
That’s because the work of real hackers becomes much easier when people are only on the lookout for made-for-T.V.-movie villains. Some of the best hackers rely on charm, not technological expertise, to get what they want. And many don’t even need to use code to compromise your security. In the cyber security world, these types of tactics are referred to as “social engineering”; and they’re often the first and most effective tools that hackers will use.
These strategies leverage the power of human psychology to get you to offer up information willingly — effectively turning you into your own worst enemy.
According to Social Engineer, Inc. phishing accounts for 77% of all social-based security attacks. It’s such a pervasive tactic that you’ve probably already heard of it. But what exactly is phishing? Phishing is when a hacker poses as a legitimate entity in order to obtain sensitive information from a victim, or direct access to a device. This type of attack most often comes through e-mail. A hacker will send an e-mail posing as a legitimate entity (e.g. a bank, a company, a friend) and invite you to follow a link. Sometimes, clicking the link will install malware on your computer. In other instances, it will lead you to a fake login page and ask you to enter a username and password. These attacks rely on numbers to be effective. Hackers will send these deceptive e-mails out to thousands of individuals in hopes of getting maybe a hundred people to take the hook.
To ensure you aren’t one of those unlucky few, you should do two things: use an e-mail platform that has an effective spam filter, such as Gmail; and stay vigilant about e-mail attachments and links – regardless of the sender. With most e-mail clients, you can hover over a link with your cursor to see a URL before clicking it. Phishers will typically use a URL that’s similar to that of the institution they’re posing as. For example, a hacker posing as Bank of America might send a link to a fraudulent (a.k.a. “spoofed”) website at www.bankofamarica.com. In these cases, the hacker is relying on the fact that many people won’t notice the misspelling.
It’s important to note that, although most phishing is done via e-mail, hackers are increasingly using other avenues to ply their craft. For example, phishers will now place fake links on websites and in advertisements to dupe victims. A fake Facebook “like” button, for example, might route you to a spoofed Facebook URL and prompt you to enter your username and password. In this case, as always, you should defend yourself by checking a site’s URL before entering in any sensitive information.
Spear phishing is essentially the same as regular phishing only more targeted. Rather than spamming e-mails to thousands of targets, hackers will select a specific, high-value individual or institution for an attack. Hackers will do extensive research on their target before developing their strategy, with social media often serving as their primary source of information. Because of that, it’s important to be mindful of what information you share on social media. Phone numbers, e-mail addresses, and similar details will make you vulnerable to attack. It’s also a good idea to adjust your social media privacy settings to make them more stringent. On Facebook, for example, you can adjust your settings so that only friends can see your full profile. Once you’ve done that, be cautious of friend requests and messages from strangers and suspicious profiles.
This method of social engineering is as old as civilization itself. The general idea is that the hacker will create a false scenario or context to get their target to act against their own best interest. These practices can range from posing as an internet technician and entering an office building, to posing as a bank representative over the phone. When people think about digital security, they usually don’t even consider someone physically accessing their computer. However, it remains a common mode of attack, especially against high-value targets such as corporations. Phone-based pretexting attacks are even more common. And they’re more effective than you’d think.
Just check out this video in which a social engineering expert demonstrates a basic phone-based attack.
The best way to defend against these vulnerabilities is to not give anyone the benefit of the doubt. Ensure that your business has clear and effective protocols in place for when and how visitors enter the office. It’s also a good idea to provide periodic retraining of those protocols to ensure that employees continue to uphold them. After all, your employees are human. Their kindness may lead them to make exceptions for someone with a compelling pretext.
For phone-based attacks, it’s important to know that you can’t trust caller ID. As demonstrated in the video above, hackers can now spoof phone numbers so that a different, legitimate number shows up on their target’s caller ID. The best way to defend against this is to ask the caller if you can call them back. If the phone number is legitimate (such as the phone number on the back of your credit card), and the call is legitimate, you will be able to reconnect.
Baiting relies on humanity’s inherent curiosity. In this approach, hackers simply place infected files or hardware in conspicuous places and wait for people to access them. Online, baiting often comes in the form of links advertising free movies or software. And when users click those links, they don’t get the latest summer blockbuster. Instead, they get malware or a request for login information for a different website (e.g. Facebook).
This same principle is also employed in the real world. For example, hackers will place a CD or USB drive in an office elevator, then wait for some curious employee to find it and use it. They’ll often label the device in a way to make it more appealing — something like, “Employee Payroll 2017”, for example. When the curious employee inserts the device into their computer, they unwittingly install malicious software, giving the hacker access to their computer, or possibly the entire network.
Some of the world’s best hackers rely on psychology, rather than technology, to game their victims. The common perception that hacking is purely technological leads people to ignore some of the largest vulnerabilities in cyber security. In order to protect yourself, and your business, it’s imperative that you recognize those vulnerabilities.
BELAY offers expert-level options for organizations looking for bookkeeping, content marketing and administrative support. To learn more about our virtual solutions, go here.