When I say the term hacker, most people immediately picture an anti-social, loner, squirreled away in some dark basement, deploying a brute force attack on a corporate network. It’s actually surprising how few attacks are executed in this way. Only three percent of hacks involve malware and 97 percent use social engineering. Social engineering hacks infiltrate computer systems by preying on vulnerabilities inherent in human psychology. Greed, fear and the need to help people typically fuel these attacks. Social engineering hacks are similar to offline scams that a confidence man would run. Think Frank Abagnale in the movie ‘Catch Me If You Can.’
There are a few hallmarks to social engineering hacks. They tend to be well researched since the hacker needs to know as much about their victim as they can. These hackers tend to be quick on their feet, able to improvise as the situation dictates.
Let’s look at a few common forms of social engineering hacks and what can be done to prevent them.
Phishing
I’m sure everyone has received a suspicious-looking email supposedly from a well-known company (Bank of America, Apple, Google, etc). Phishing schemes reach out with an urgent issue that needs attention like an overdrawn bank account or someone logged into your account from Russia. The goal is to get you to log in to resolve the issue, but the link goes to a fake sign-in screen tagged with all the recognizable corporate branding. This page runs off a server the hacker controls. Upon login, they harvest your credentials, allowing them to access your account to do real harm. This attack isn’t necessarily isolated to email. It could also come via SMS (smishing) or through social media. Phishing attacks are the most popular type of social engineering hack. Proofpoint found that 83 percent of companies experienced a phishing attack last year.
Phishing comes in a few different flavors. The most common method is to spray out thousands of emails in hopes of snagging a handful of recipients. Spear phishing is a more targeted email send, hitting up employees of a particular company. In the age of social media, its painfully simple to corral everyone working at a company through a LinkedIn search. With that list, the hacker can send highly targeted emails tailored to those associates. Whaling is a variation on this theme where the hacker focuses on C-level executives to gain access to high-level information at their disposal.
Phishing in real life
Probably the most high profile phishing hack of late came in the lead up to the 2016 presidential election. Hillary Clinton’s campaign manager, John Podesta, clicked on link to access his Gmail account and exposed lots of internal campaign data that may have played a role in swinging the presidential race for Donald Trump.
Tailgating
We’ve all been there. You were scrambling to get out the door this morning, and you left your key card sitting on the kitchen island. At the office, you patiently wait for the next kind soul to let you into the building. Hackers know this trick too and exploit that kindness to access restricted areas they have no business being in. This breach probably wouldn’t be possible in a small business environment where everyone knows one another, but with large companies, it can be easy to pass yourself off as the new guy in marketing. Usually, hackers will do their research to construct a plausible backstory and may even hit up the local Goodwill to snag a company-branded Polo shirt to really sell it.
Baiting
Baiting offers something of value to the victim that facilitates the hack. The best example is a USB drive left in an area where an employee will find it. It gets picked up and eventually gets plugged into the corporate network. That drive contains malware on it that gets installed the second it is inserted. This allows the hacker to take over the user’s machine and gain access to the corporate network.
Baiting in real life
Like something out of a James Bond movie, U.S. and Isreali intelligence agencies teamed up to create a computer worm that has come to be known as Stuxnet. The worm was created to interact with the programming logic controllers of centrifuges used in the enrichment of uranium. To infiltrate the Iranian nuclear compound, a USB drive was brought into the facility by an unknowing actor. Once it was plugged into the computer network, the worm was let loose on the centrifuges, causing them to run too fast and too long, damaging the equipment. This went on for years undetected.
Pretexting
We are hardwired to obey authority figures and automatically assign trust to those we know. This conditioning provides a juicy opening for hackers to exploit. Someone may call as an IT representative needing access to your machine to install software updates. Likewise, the hacker might pose as someone you know, asking leading questions to cement that trust.
Pretexting in real life
A couple years ago, my grandmother was greeted with a call saying, “Hi grandma.” Since she has four male grandchildren, the caller’s voice must have fit closest to mine so she replied, “Mark?” He replied, “Yes, its Mark. I’m traveling through Europe, and I’ve been arrested for possession of marijuana. I need $1000 to spring myself from jail. Can you wire it to me?” After thinking it over, she said that I (hacker impersonator) should call my mother for help in which he replied, “Oh, she’d be so disappointed. I don’t want to bother her with this. Can you please help me? I really need to get out of here.” Thankfully, she stuck to her guns and said no, but you can see how this rouse could pay off in a big way for the hacker. The elderly, who are less tech-savvy, are especially ripe candidates for this deception.
It’s helpful to know what a social engineering hack looks like, but it means little unless you are taking steps to actively prevent them. A few key measures in the prevention fight include:
Security training
Humans will always be the weakest link in the security chain. Awareness is the best weapon to combat social engineering hackers. With a healthy dose of regular training, employees can learn to recognize the signs of a social engineering attack in the making. While the entire business organization should be trained to recognize these hacks, certain departments should be given special focus — those who are customer-facing like customer service, employees dealing directly with bank accounts in finance and accounting, and upper management. Training should be more frequent for these groups to highlight new social engineering hacks that are being seen out in the wild as well as to keep it fresh in their minds.
Test your defenses
Putting your employees through training isn’t enough. You need to test your protocol to ensure hackers are actually getting stopped at the door — physical or virtual. Hiring an outside penetration testing firm to run your security preparation through the paces is ideal since a third party can often bring to light issues that may have fallen into the companies’ blind spot.
Strong passwords & multi-factor authentication
A study by Prempt found that less than 19 percent of corporate users used poor quality or shared passwords. It isn’t hard for a hacker to infiltrate an account using the word “password” or “123456789” as the password. This can be especially dangerous for those with elevated privileges, allowing a hacker to do a lot of damage.
In addition to enforcing strong passwords, turn on multi-factor authentication. A hard token is the ideal approach for MFA since you know the individual should have the hardware device on them. The more common text message isn’t as secure, but it certainly beats not having MFA at all. Consider this your minimum line of defense.
Always do regular backups
It should go without saying, but make sure you are backing up all data that is critical to daily business operations. If a malware or ransomware attack renders your network useless, backups can help you get running again. Don’t just create the backups, but also restore them and formulate a plan for how you would effectively recover if your network was suddenly crippled by an attack.
Cyberedge found that 79 percent of social engineering hacks were successful in 2017. This number has steadily grown year-over-year. It was also found that 17 percent of participants were tricked into taking an action which would have compromised the user’s workstation and potentially the network as a whole. These hacks are very effective, and cyber criminals will continue to deploy them as long as the payoff remains high.
You’ll never be able to stop social engineering attacks, but you can take steps to neuter them. Don’t make your company an easy target by growing complacent in your corporate security practices.