Of all the services we offer at BHIS, Social Engineering is the most interesting to me. It’s something (and quite possibly the only thing) I completely understand and feel I am fully capable of doing. I also know that it’s one of the more difficult and uncomfortable things our testers do. This is a good thing, to me it means we are employing honest, good people who hate lying in order to succeed. However, they manage, and are good at it.
So, what exactly is social engineering?
It refers to psychological manipulation to get people to do things and give away sensitive information to gain access to a network or computer system. It’s usually just a portion of a larger con/attack on an individual or company. It is much like phishing, which attempts to get sensitive information such as usernames, passwords and credit card details by masquerading as a trustworthy entity in an electronic communication. But while phishing might be another part of the overall attack, social engineering also includes hacking for information via phone, or even sometimes in person. Social engineering is used to execute hacking techniques and phishing scams by exploiting our inherent helpfulness, kindness, naivety and gullibility. We’re so sneaky.
How does it work?
One of the more memorable examples of social engineering I’ve seen is this:
In this video, a hacker plays the sound of a baby crying and then calls a cell phone company in order to gain access to a total stranger’s account. Because she pretends to be the stranger’s newly married wife, has a crying baby, and acts fairly upset, the cell phone company not only gives her access to the email on the account but also allows her to change the guy’s password, so now, he can’t even gain access to his account. With that information, she can now go into his account online and see all his personal account information. Let’s face it, a lot of us keep some very personal information on our phones. She had access to his pictures, account info, location and more, probably long before he even realizes she has it.
Penetration testers employ these methods, without the malicious intent, to show a company how devastating these attacks can be. Our testers are hired by those companies to test how difficult it would be to gain access to their organization or personnel via social engineering.
So, just how hard is it to be resistant to these sort of attacks? There are literally thousands of variations to social engineering attacks.
Here are some ways to prevent falling victim to social engineering: Most criminals exploit human kindness, use distractions and questions or pretend to be in the service industry.
9 Ways to Avoid Social Engineering
1.) Be suspicious of any unsolicited messages or service personnel.
If the email/phone call/person looks like it is from a company you use, do your own research. Use a search engine to go to the real company’s site, or a phone directory to find their phone number. If an unknown individual claims to be from a legitimate organization, try to verify his or her identity directly with the company. It is very simple to come up with a badge or false ID, so, don’t be fooled by someone who “looks” legit. (We’ve had customers so spun up and paranoid in the face of our penetration testing that even emails from employees in BHIS were double checked against known personnel – we applaud their security efforts!)
2.) Slow down.
Pay attention to your surroundings. Scammers want you to act first and think later. If someone is conveying a sense of urgency, or uses high-pressure sales tactics be skeptical; never let their urgency influence your careful review.
3.) Reject requests for help or offers of help.
Legitimate companies and organizations do not contact you to provide help. If you did not specifically request assistance from the sender, consider any offer to ’help’ restore credit scores, refinance a home, answer your question, check your printer, look for termites etc., a scam. Similarly, if you receive a request for help from a charity or organization that you do not have a relationship with, delete it.
4.) Delete or ignore any request for financial information or passwords.
If you get asked to reply to a message with personal information, it’s a scam.
5.) Don’t provide information.
Don’t provide personal information or information about your organization, including its structure or networks, unless you are certain of a person’s authority to have the information. Even mundane things can add fuel to the fire. Another good example of this is when you call a bank (or other important organization) and they verify your address by asking you, “Do you still live at 123 Road Street, Anytown?” Ka-ching!
6.) Don’t send sensitive information over the Internet before checking a website’s security.
Pay attention to the URL of a website. Malicious websites may look identical to a legitimate site, but the URL may use a variation in spelling or a different domain (e.g., .com vs. .net).
7.) Don’t overshare on social media.
Sharing too much information on social media can enable attackers to guess passwords or extract a person’s or a company’s confidential information through posts by employees. Plus it gives someone more ammunition to use when they attempt to get more personal details. If I can find out someone is on maternity leave, I can manufacture all kinds of other details to make my social engineering attack seem even more legitimate.
8.) Install and maintain anti-virus software, firewalls, and email filters to reduce some of this traffic online.
9.) Be Careful Whom You Trust
This seems really obvious, but after helping and seeing my co-workers do social engineering, I’ve learned even more so that people are inherently trusting and helpful. They are ready to believe everything you tell them. This speaks well to people, but is scary when I realize I’m the same way. Practice kind helpfulness without automatically trusting someone completely.
These tips will work for both business and personal areas of life. The fact is, people need to be trained – according to digitalguardian.com PEOPLE are the weakest link in any security application.
Companies should employ, at minimum, a bi-annual training geared towards each user group (end-users, IT staff, managers, etc.) so that everyone is aware of the latest attacks. Afterall, these attacks aren’t using “technical” employees, but any employees. Hackers understand that the weakest link is the person with the least amount of education and training.
Employees should also be tested by having an outside party (like the awesome testers at BHIS), conduct a social engineering test. These kinds of tests help keep the employee on their toes and more likely to avoid the attacks in their business and personal lives.
Be safe out there!