So, before you think I'm about to embark down some dark path of political rants, I can assure you I have no interest nor desire to do so. Instead, as 2019 comes to an end, I thought it best to embark instead down a path of education as it pertains to a very real, and very prominent cyber security threat: Social Engineering.
Needless to say, we are all creatures of habit. And collectively as a global society we are used to habits, social cues, and everyday common interactions that for the most part govern our days. This is where the concept of Social Engineering rears its ugly head—a collection of tricks and tools that the bad guys use to take advantage of good people and companies.
As a primary example, there is Quid Pro Quo. And again, though that phrase seems to have been made popular in US news cycles of late, this is altogether different. In a Quid Pro Quo scenario, the scam involves a trade of some sort—one that appears as something mutually beneficial.
The best example is that of receiving a call for tech support. By now, I'm sure you have received at least one call from the "Microsoft Support Team" claiming your PC is infected and must be fixed. The Quid Pro Quo here is the handing over of controls to the stranger on the phone in hopes that person will fix the supposed issue. The best advice here: tech support, unless it’s someone calling from within your own organization, usually does not reach out to anyone. Ignore these scams by hanging up.
Another example of Social Engineering is something referred to as Vishing (the voice version of Phishing). With Vishing, bad guys will pose as a coworker by calling a target to ask for login credentials or something else that could be potentially shared.
Vishing can come in two types: first, there are one-off scams known has Hunting, where a perpetrator will try to get as much information as possible in one shot. Second, there are the scams that take place over several interactions, referred to as Farming. In either case, it’s safe to say that one should never give away any details to strangers, either on the phone or otherwise.
Another prime example is that of Pretexting. This one is simple but, unfortunately, effective. It's simply a ploy that gets you to interact with an email, usually in the form of a beneficiary scenario, etc. The victim, to receive what has been left to them, must give personal information to "verify" the transaction.
An all too common Social Engineering scam is Email Hacking and Contact Spamming. This one is extremely common in that hackers will simply break into and commandeer someone’s email account to then spam that person’s contacts. Because the email is familiar, the chances of people falling for that scam increases exponentially.
The best way to avoid these is to be critical of things such as grammar, sentence style, and so on—if it sounds like your friend has partaken in too much holiday cheer, then it's probably a scam. Additionally, look at links or attachments that may be out of the ordinary. If it's not something your contact would usually send, pick up the phone and call them directly at the number you have in your files to ask if it's really them.
And, as a last example, there is a great scam called Baiting. The best example of this one is that a hacker will place some nefarious code on a USB drive and leave it in a public place (usually outside an office building on a bench, table, etc.). To use the USB drive as bait, they will label it with something like “bonuses," or CEO Salary Files, or something that will get a person’s curiosity peaked. Of course, the moment it's plugged in, the code downloads and infects that device and network. The best advice here, if curiosity killed the proverbial cat, don't be a curious cat.
Social Engineering is a terrible thing—a way for the bad guys to prey on the trusting nature of good people. The best defense is to educate yourself, use common sense, and channel your inner Sherlock Holmes’ qualities and find a sidekick to help you identify the crime before it happens.
November 3, 2022
In Case of Emergency… Have a Plan
When an emergency occurs, it’s too late to plan or rehearse the response. Fires, floods and other disasters don’t pause while you get ready to address them. Policies, plans and procedures for response must be in place long before they are needed.
October 13, 2022 | Jacqueline Davis
Leading the Race Against Threat Actors
Threat actors are getting smarter and will always find new ways to execute their payloads into an organization’s tech environment. To win the cybersecurity race, organizations need to learn more about some of the key trends in cybersecurity.
October 11, 2022 | Jacqueline Davis
Observations from SecTor 2022
Research suggests that most IT departments are not keeping pace with the changes in cybersecurity. Given the rapid adoption of the connected world, it’s no wonder there is a struggle to keep the pace.