The days of only using firewalls and antivirus software as protection against hacking are over. Hackers are getting more creative with how they plan their attacks. The newest trend hitting top organizations like Sony, Yahoo, and even the US Government is called Social Engineering. Social Engineering is when hackers use emotionally manipulating strategies to gain access to confidential information. This can be in the form of an email, call or even website link.
This is an important topic to discuss during cyber security month as these threats are targeting all levels of companies and customer service employees are on the list! Hackers prey on sales and customer service employees knowing they will go above and beyond to support the client. They may disguise themselves as a current customer and build rapport to gain personal information or ask the representative to stay on the line while they email a hazardous link and ask them to click on it for assistance. Once you have taken the action they hoped for, their mission is complete, and your organizations security is compromised.
Social Engineering Methods
These have become so popular that a 2017 study showed 88% of hackers use social engineering in their cyber-attacks. The best way to avoid falling victim is to stay informed and always be on guard for the following:
Phishing emails look like a trusted source and are typically asking you to take an action. Popular phishing scams appear to come from a trusted source like a bank or client. They will even have a company logo to appear legitimate. Some include urgent call to actions, like a billing mistake, document drop box, or account verification.
- Watering hole
This is when hackers embed malware in a trusted, often visited website. A recent example of this is the 2013 Department of Labor attack that allowed hackers to embed links redirecting visitors to a malicious website.
- Whaling attack
This scam is designed to look like a legitimate email that is targeted towards upper level management. These might be asking for payment or information that seems to be critical and time sensitive.
Pretexting is where attackers fabricate a scenario to try and steal their victim's personal information. Hackers will often present themselves as someone else trying to obtain information. The key to the attacker's success lies in their ability to build trust with the individual providing the information.
These attacks prey on human curiosity and promise something that hackers use to deceive the victims. Examples of these may be offering free downloads for songs, movies or other goods in exchange for information.
What can you do to prevent being a victim?
- Avoid clicking links and downloading attachments. Even if there is a trusted source sending an attachment, kindly reply and ask them to send you a screen shot or the message in the body of an email.
- Watch out for oddly phrased wording, misspelled words, names.
- Move your mouse over the link (be careful not to click), if the link appears to be large and have jumbled letters it's probably spam.
- Delete any scam emails and if you accidentally click or reply, report it immediately to your IS department.
- Always verify the customer on the phone, never give out a customer's information if you cannot verify who they are.
- Attend Learning Tree Social Engineering Training: Deceptions and Defenses
- When in doubt, ask IS - trust your gut, if something seems "Phishy" it probably is.
For more information on how to defend yourself and your organization against Social Engineering, please check out a few of our resources below:
Introduction to Cyber Security - a Starter Guide
Cyber Security Risk Assessment Training
Securing Web Applications, Services, and Servers Training
Cyber Security Training