There are plenty of changes happening in the world as we contend with the COVID-19 virus. In many cases, business activities, people, and communications are moving from the physical world to online. Unfortunately, that includes hackers. More than ever, it’s important to be aware of social engineering techniques and how to spot them.
What is Social Engineering?
In the world of cybersecurity, we often think of hackers as people typing out strings of complex code to find sneaky ways into our accounts from the backend of our computers. But an equally vicious type of cyberattack is known as social engineering, and it targets people rather than technology.
There are a few different types of social engineering attacks. One of the most common forms is known as a phishing attack, which aims to manipulate people into revealing sensitive information. Spear phishing is a more targeted form of phishing wherein the hacker goes to great lengths to obtain information that makes their attack appear more trustworthy (such as using the name of a victim’s colleague in their email signature).
Other types of attacks include:
- Tailgating, which is when an attacker gets help from an authorized source to gain access to a system (for example, an employee or former employee)
- Baiting, which involves leaving a link or hardware device in a place that piques someone’s curiosity
- Quid pro quo, which often involves a hacker impersonating of someone trustworthy, like a technical support rep, and manipulating a victim into installing remote access tools (RAT)
Social engineering tactics committed against individuals are usually geared towards identity theft, while attacks on businesses tend to be more directly financially targeted.
How Social Engineering Tactics Play On Your Emotions
When hackers manipulate people, they most often use emotional stimulation to push their victims into action. Understanding the emotions they play on can help you recognize a potential scam.
Right now, fear is already on the rise. News about the pandemic is creating feelings of chaos and stress for a lot of people and businesses. So this makes it the perfect opportunity for hackers to capitalize on it.
Hackers using social engineering rely most heavily on fear because it’s such an effective motivator. These may include making threats like legal or police action, releasing personal or sensitive information (which the hacker may or may not have), or losing something, such as account access.
Trust is a powerful tool in the hands of an attacker. Many attacks involve someone impersonating a person or entity that the victim instinctively trusts, such as a service provider, government agency, or even someone they know.
Another emotion hackers use to gain access to your data is excitement. Although they’re less effective, these types of strategies offer a prize, usually in the form of money, trips, coupons or free items.
You know what they say… Curiosity killed the cat. It’s also killed more than a few good cybersecurity plans. One example of how attackers play on curiosity is physical baiting, which involves leaving an infected device like a USB drive in a public place with the hope that someone will pick it up and connect it to a computer.
3 Warning Signs of Social Engineering
Requests for Sensitive Information
Phishing requests sent via email, text and phone calls will often ask outright for a person to click a link that requests a login; however, they may also ask more directly for financial details such as credit card numbers or banking information, personal information such as social security numbers or account login credentials.
Something Too Good (or Bad) to Be True
Many attacks hinge on alleged winnings or personal threats. It’s important for everyone in the organization to be comfortable with reporting instances of social engineering so you can share information within your organization and with your IT professional to defend against future attacks.
Someone Who Claims to Be a Trusted Professional
When it comes to quid pro quo attacks, the best defence is having a list of your trusted professionals (including banking contacts, managed IT service providers, accountants, etc.) and their contact information, including names, phone numbers, employee/representative number, and emails. Employees can check these credentials before giving out information, and if they aren’t sure, they can contact a manager or supervisor for confirmation.
Don’t Take a Risk; Ask a Professional IT Consultant in Edmonton
Although it’s not always the case, your intuition will often tell you when an email, text, phone call, or inquiry doesn’t make sense. In these situations, it’s best to have a professional to double-check just to be sure. Your Edmonton IT company can provide you with advice, systems and security measures to prevent and deal with attacks, including biometric monitoring and employee training.
Being prepared by having policies in place is one of the best ways to protect your business. At Alt-Tech, we’re committed to providing business owners with cybersecurity training in Edmonton. Alongside other Edmonton service providers, we’ve sponsored a new initiative called Secure Edmonton. This is a free employee training program focused on cybersecurity in Edmonton for small and medium-sized businesses. Bring your employees for a great session involving Q&A with our experts.