Hackers and cyber criminals are a clever bunch, always adapting their approaches and fine-tuning their attacks. As firewalls go up and cyber defenses are shored up, computer-savvy criminals redouble their efforts, focusing on the weakest link in the chain to continue their nefarious ways.
In many cases, that weak link is not in your computer; it is between your ears. By harnessing human psychology and turning it into a weapon, cyber criminals trick their victims into revealing information they should not, resulting in millions of dollars of losses for the corporate world and millions of lost files for ordinary users.
This psychological approach to cyber crime is known as social engineering, and it is a growing problem. Even as IT managers and corporate network designers get a handle on other types of weaknesses, controlling the psychology of employees has proven to be a much harder problem. That means knowledge is the best defense, and that starts with recognizing these telltale signs of social engineering.
The Communication Appears to Be from a Trusted Source
What makes social engineering so successful, and so uniquely dangerous, is that the communication appears to come from a trusted source. Sometimes the entity on the other end masquerades as a representative from your brokerage firm. In other cases the communication appears to come from your bank or payment provider.
In other cases, the person on the other end of the social engineering attack pretends to be a work colleague, or even a direct supervisor or executive. If you receive such a communication, taking a few minutes to verify its authenticity could save you a lot of trouble.
It only takes a minute to pick up the phone and verify the email communication. At worst you will have wasted a bit of time. At best, you will have saved yourself, and your employer, countless hours of recovery time and untold monetary losses.
A Request for Information the Requestor Should Already Have
The entire goal of a social engineering attack is to gain information that can be used to steal your identity, compromise your login information or appropriate trade secrets from your employer. And while traditional hacking aims to take these things by brute technological force, social engineering uses a softer approach.
In a social engineering attack, the scammer will ask for this key information, often posing as a trusted contact like a banker, broker or work colleague. Before you give out any personal or business information, ask yourself why the person on the other end does not already have it.
Your bank, for instance, already has your Social Security number; otherwise they would not have been able to open the account or issue any tax forms. The same goes for brokerage firms and other financial institutions; requests for Social Security numbers or similar information should always be viewed through a suspicious lens.
You Are Asked for Your Username or Password
The entire goal of social engineering is to compromise your private information, and the username password combination is the holy grail of a successful cyber attack. You should always be suspicious when asked for your username or password, as there are seldom legitimate reasons for such a request.
Once again, think about the information the supposed caller or emailer would already have. From your corporate IT department to the customer service representative at Amazon, these folks already know your username, even if they do not have access to your encrypted password.
Software Install Requests
Successful social engineering is a two-step process, and both steps are required in order for the cyber attack to be successful. First the social engineer contacts the victim, tricking them into taking action, but the second step is where the bulk of the damage takes place.
Once the attacker has gained the victim’s trust, they may ask for control of their device, supposedly to offer tech support or solve a problem. Or they may send a software installation request, asking the victim to install a special piece of software on their computer, smartphone or tablet.
The real damage begins once the malicious software has been installed, and once that is done the results can be difficult or even impossible to undo. The malicious software package may scour the hard drive in search of passwords, bank account information or other sensitive data. It may encrypt the data on the drive and hold it for ransom, or it may steal trade secrets and send them to a competitor.
It is best to view any software installation requests with suspicion. While there are sometimes legitimate reasons to install third-party software, it is vitally important to verify the request before taking any action.
Cyber crime is a growing problem, one that is not going away any time soon. Even as IT departments work to shore up their cyber defenses and prevent attacks, hackers are looking beyond the software and focusing on the weaknesses of human psychology instead. Social engineering could be the real threat of the 21st century, and fighting it starts with recognizing its warning signs.
