What is Social Engineering?
It is often thought that Viruses and Malware are the biggest threats to your personal information, but there is even a greater threat that often goes undetected. Social Engineering is a technique used by people to gather your personal or secure information without you even thinking twice about giving it away. Social Engineering is most often performed over the phone, but could just as easily be done via email, text messaging, or any other form of communication; you can be Social Engineered by anyone.
In the most basic form, Social Engineering is when someone poses as someone else (i.e. a trusted friend or colleague) to trick you into divulging sensitive information. “Hey, this is PayPal, please follow this link and re-enter all your banking details — its ok, really!“
With a threat this large how do you protect yourself?
The easiest way to protect yourself from becoming a victim is to verify to whom you are speaking before revealing any information – don’t make assumptions! This may seem like standard operating procedure for most, but be especially vigilant if you don’t immediately recognize who the request is coming from. Try not to reveal any of your own or your customers’ personal information including name, address, phone number, account number, or any similar information. Revealing a name to someone may seem harmless, but if someone were to combine the name you provided them with an address, they may be able to contact your customer. This is the main idea behind Social Engineering. If you don’t think you gave out any personal information, why would you ever report the “security breach” to anyone?
People performing Social Engineering can be clever — getting one piece of information from one person, calling back and taking to someone else and getting more information. Each piece gives them more “power” and makes them seem more legitimate. However, by getting only a small bit at a time, they are better able to stay under the radar.
By having strict security policies and being “paranoid” you can avoid a security breach. Verify all transactions and requests, and if there is any doubt don’t release any information. This is especially true when dealing with email. When email was originally designed security wasn’t a concern at all; as such, it is easy to forge email in many situations. In a sense you must act as your own personal Firewall, filtering and verifying all requests by hand.
There are many different kinds of Social Engineering tactics, but one of the more common ones is called “Phishing”.
Phishing is when someone sends you an email, usually with a link, to a bogus web site pretending to be an actual site that you might access. For example, you receive an email from your bank indicating that they have recently experienced a security breach. They would like you to go to their website and log into your account to change your password. They provide you with a link to their site that may, on the surface, look like it points to your bank. You proceed to click on the link and are taken to a site that looks exactly like your bank’s site and proceed to log in. Your login fails, but the false site now knows your username and password. You are then redirected to your actual bank web site where you re-try your login and it works. You just assume you mistyped something and go about your business. However, your bank account has now been compromised!
This is a form of Social Engineering where the scammer makes you think the request is legitimate and steals your information without you thinking twice. The best ways to protect from this type of attack is to verify the link before clicking on it.
- When hovering over a link, most email programs and web browsers will show the actual destination; if it differs from the location you are trying to access do not click on it – STOP!
- Instead of following the link, go to the desired web site directly by typing in its address or using your book marks. Be vary wary of clicking on links in email messages.
- When logging into the site, check if the page is secure (protected by SSL — the address will start with “https”, i.e. https://luxsci.com is secure, but https://luxsci.com is not).
- If the page is not secure and it should be … STOP!
- If the page is secure, is your web browser popping up security warnings? If so, STOP!
- No security warnings? Is the certificate issued to the proper company? If you visit https://luxsci.com, you will see that the security is issued to “Lux Scientiae, Incorporated” — it says so right in the address bar. This is because LuxSci has an “Extended Validation” security certificate to make it easy for its visitors to know if they are at LuxSci’s site. If you are connecting to your Bank and the Bank’s name is no longer there in “green letters” … STOP!
- You could also call your bank and verify the email.
- Many web browsers now also have built in “phishing” detection — be sure you have this turned on.
Phishing in this form is widely employed for general personal information gathering; however, another tactic called “Spear Phishing” is being more commonly used for targeted attacks.
Spear Phishing sounds similar to Phishing, and while it is similar, it has one major difference. Spear Phishing messages, unlike regular Phishing messages, usually appear to be sent by a specific trusted individual.
An example of the difference would be a scam email being sent from an employee at a company rather than an email being sent directly from the company. It is also usually sent only to a small number of people instead of to a large number of targets, as is with regular Phishing. This method of attack attempts to gain your trust by getting you to relate to the person writing the email. Also, by targeting a small group with specific details included, it prevents the messages from being recognized as obvious spam or fraud.
For example, a fraudster could research a company and find out
- The names and email addresses of some of the management (this is usually published on web sites)
- The projects they or the company is working on, including some of the lingo and abbreviations used. (This is also usually published on the web site).
Then the fraudster could construct email messages forged to appear to be from specific management individuals, referring to specific projects using company lingo and asking for certain things. Depending on how well the fraudster can compose this message to “sound” right, the more likely the recipients are to “just believe it” and do what it says without looking too closely (i.e. replying and not noticing the funny reply-to address, etc.)
Beyond general security issues, such as companies like Sony getting hacked, Spear Phishing is the latest and largest targeted threat to your security in recent years. It is quickly gaining momentum and you can expect to hear about more attacks in the coming months. As with any online security threat, your best protection is to:
- Verify who the request is coming from before providing information.
- Be paranoid and look for any request that is “out of the ordinary”
- Implement systems for better validating requests (i.e. digitally signed or encrypted email or messaging solutions, closed communications systems, etc).
Sometimes it may seem easier to just reply to the email to ask for verification, but with Spear Phishing it may be a good idea to attempt to contact the sender over the phone, if possible.
- Social Engineering from Both Sides: Thinking + Caution = Safety
- Best Practices for Minimizing the Impact of Social Engineering on Your Organization
- Why protecting and validating email identity is a top priority for a secure 2015
- Protecting Your Account from Social Engineering
- 8 Ways to Protect yourself from Forged/Fake Email