What in the World is Social Engineering?
In the way a magician uses timing and diversion to fool an audience, a cyber attacker can apply social engineering tactics to trick you into sharing sensitive data. Within the cyber security world, it is regarded as the art of human manipulation.The objectives of these criminals are to fool you in doing the following-
- opening an infected email attachment
- sharing passwords
- allowing a stranger into a physically secure area
- sending sensitive information
Technology alone can't stop these computer criminals from using various methods such as phone calls, text messages, emails, social media access, and physical presence from getting their hands on information they should not have access to.
Examples of Techniques
Suppose you get an important message from your bank. You are informed your bank account had expired and your account will be locked. You get a unique phone number to call in and update your account.
You make contact and have to endure an automated system series of personal questions to prove your identity.
In reality, this is not your bank. There is no genuine concern in determining who you say you are.
This is an automated attack by cyber criminals seeking to record and steal information such as-
- Birth date
- Credit Card or Banking information
- Home Address
- Phone Number
As I mentioned before, their goals is to steal your identity and financial information.
Such attacks can also be a more complex for the gullible.....
Advanced Social Engineering Attacks
How would you react if you received an email apparently from your boss? It is short and urgent. It informs you law enforcement is conducting a secret investigation of the workplace and some people may have to go to prison.
This email further states you will receive a phone call from your employer's legal team in a short time and you must answer any questions they ask.
Then you get a call from a cyber attacker pretending to be a lawyer!
In such instances the caller's objective is to trick you into giving up as much information about yourself as possible. They will create a sense or urgency, often through fear, intimidation, a crisis, or a crucial deadline. They may use confusing or technical terms to trick you into providing sensitive information.
What You Can Do
Spot these attacks before they happen.
In the above scenario, wouldn't it be odd if an email message from your employer or manager appears odd, call and contact them directly about the message. It's possible that his or her account was hacked.
There other things that can look out suspicious.
- The content of the email contains irregular grammar and spelling errors
- Tone of the message is questionable
- Hover cursor over any questionable link to display link's real origin.
- If you are on the phone with a highly questionable person, just hang up.
- Direct these matters to the help desk or computer informational team
Many years ago, when I was a Court Security Officer, I was having lunch with my superiors when I received a call from a Cyber Attacker warning me of an impending arrest warrant for me for failure to make my car payments (the caller didn't know I worked for the Sheriff Office).
At the time, I knew I had no existing car payments and the County Sheriff and other deputies were sitting near by eating, laughing, and talking sports.
I had fun with this caller as I pleaded for him to spare my life. I asked him if he could loan me the money to pay it and I would have my contractual killer friend deliver the money to him personally. My laughing frustrated this man to the point he hung up on me (I know I could've been more professional).
Make no mistake, your identity can be shared with a cyber attacker without your role in any of it. Take a look at this scenario that will blow your mind. This involves a customer service representative
sharing information about an account that could happen to anyone.
This takes no more than 30 seconds so brace yourself.
Quite diabolic isn't that?
As I studied this scene, the representative missed some cues-
- Where was the husband and why didn't she request to talk to him directly?
- Mom has an infant and an older daughter whom she is attempting to add to the account to make changes if needed? Talk about a disparity in age. How old is the older daughter mom? You trust her with what?? lol
- How is it possible mom and dad don't remember the email they used to sign up for the account?
- Initially, dad did not have mom on the account in the first place. What's up with that? Sorry, how do I know you two are not legally separated or something?
- Mom claims she can't receive the text because she is talking on the phone with the operator. Really???
By fooling this customer representative, the fake mom was able to do the following-
- Add herself to the account with a fake name and fake social security number
- Set up her own personal access to the victim's account
- Convince the support person to change the password, thus locking the real account holder out of his own account.
Social engineering is a diabolic trick and we must spot them before it happens. We can check our account activity on a regular basis while at the same time, taking initiatives not to disclose any personal data to those who should not have access to.
Technology alone cannot keep us safe and secure. We all have a responsibility in ensuring we are taking extra caution in our daily lives. We are the top defense against cyber attackers.
If you found this information helpful and useful, please susbcribe to my blog at the top. Every week I will be sharing the latest tips, news, and/or events in our cyber world.
Be safe and secure my friends!
Scattering the Seeds of Knowledge,
Ken Harris