Call it people hacking, call it spying, call it snooping. Call it whatever you like, but social engineering is a practice that has been going on for a long time. In an increasingly connected society, it is the most useful tool in a hacker’s arsenal. It uses the error of human emotion to exploit human weakness. This information is gained in a few short minutes and exploited in just a few seconds. Social engineering still remains one of the biggest security threats to this day. And here is why you should care.
The Art of Hacking People
Social Engineering, by definition, is a non-technical kind of security attack. It relies heavily on human interaction, manipulation, and the exploitation of human emotion to get people to break security protocols and give out sensitive information. This can be anything from email addresses and phone numbers to more sensitive information like passwords and other sensitive account information. What makes social engineering unique is that it doesn’t involve any kind of compromise of systems. Once the damage is done it is hard to trace back.
At the most fundamental level, social engineers are like the con-artists of old. Peddling whatever kind of human connection it takes to convince you to do something or tell them something you normally wouldn’t. Like the guys of old who used to sell bogus medicine to unsuspecting people and raking in the benefits of how people feel when they think too much about illness and death. A social engineer is someone with amazing people skills and a very deceptive nature that can often exploit the human experience to their advantage.
Types of Social Engineering Attacks
Phishing: This is the most common type of social engineering attack. The goal of a phishing attack is to get you to open malicious links, and enter your account credentials in a phony form that then sends this information to the attacker. Social engineers usually disguise these in emails that claim to be from different services you use and often come cloaked with a sense of urgency that makes it seem important for you to click and follow the directions. Most recently was a phishing scam that spread like wildfire through Gmail disguised as a Google Doc and compromised the credentials of thousands and thousands of accounts. To benefit, most email clients and services do a better job these days of blocking potential phishing emails.
Baiting: This is very similar to a phishing attack. Except, in the case of baiting, there is a good or service offered in exchange for the sensitive information. This is typically done with downloadable music and movies, in exchange for using something like Twitter, Facebook, and Google login credentials. Another thing that makes baiting different from phishing is that it doesn’t have to rely on digital media. Infected USB drops are a form of baiting that rely on the general curiosity of people that they will pick the USB up and plug it in to see what’s on it. In turn, the USB infects the host computer, usually with a keylogger, and credentials are harvested this way.
Quid Pro Quo: This is another kind of attack that has gotten more popular in recent months and years. With a quid pro quo attack, the attackers offer benefit in exchange for information. This may sound a bit familiar with the spam attacks where attackers call promising to fix security and performance issues with Windows machines. This affects people in the private sector, but attackers also target companies in hopes of finding the person that gives in and gives up information. In most recent memory, this has become more of a scam than an attack as attackers are just running down lists of phone numbers and hoping and waiting.
Why is Social Engineering Such a Threat
What makes social engineering such a threat is that it is something that relies, not so much on technical knowledge, but on people skills. When most people think about hackers, they think about script geeks with monster computer rigs, hiding out in the dark, jacked up on Red Bull, and typing away with fury. What most people wouldn’t say is a hacker has “great people skills, excellent verbal communication, and a charming personality”. Not exactly what you would think when you hear the term “hacker” but in essence, it is a very necessary task to be able to pull off now in order to gain access to simple sensitive information. Take this section of “Real Future: What Happens When You Dare Expert Hackers to Hack You” as a great example of how easy it can be.
What Can I Do to Protect Myself
The first thing to do is the most obvious. NEVER give out confidential information about yourself unless you can 100% verify who it is you are talking to. If they can’t satisfy your questions to verify their identity, then you don’t need to be giving them your information. A second to that point is also to realize that real representatives of the companies you do business with will not ask you for a password over the phone. Ever.
Second is on the more technical side of things. Does this email seem to good to be true? It probably is, and you would be best to avoid the link. Can you access your account normally without having to go through what the email says? If you can, don’t click that link. A good line of thinking when a phishing email shows up is to check your account with those services. If there is something actually wrong, your sign in should tell you. But if you can sign in and there are no issues, then you can guarantee the email is an attempt to hijack your credentials.
Do NOT, under any circumstances, allow USB access to your device from anyone you don’t know. Or any device you can’t verify as yours. USB attacks are becoming more deceptive. Often, having the latest security upgrade on your doesn’t mean it can be stopped. Do not trust people to just hand you a USB device and ask you to print something off, open a file, or install a program. Without being able to verify the legitimacy of the device, it can be a hazard.
Social engineering, as stated before, is not a new tactic, but it remains one of the most successful tools in a hacker’s arsenal. Recognizing a threat and combatting social engineering attacks are imperative to defense. Simple and effective vigilance can often be the difference between keeping your information secure, and losing your information, and possibly a lot more.