When it comes to cybersecurity, humans are the weakest link. This is because, unlike (some) machines, humans are inherently flawed: they have cognitive bias, they make unpredictable mistakes, and they aren’t always able to tell a lie from the truth.
Social engineering is one of the most efficient means of cyber attack, and it’s particularly popular among cyber criminals because it exploits our inner weaknesses. Hackers use social engineering to manipulate people and trick them into disclosing or volunteering confidential information, or to take certain actions.
Cyber criminals have developed a range of attack techniques and commonly operate online, offline, and over the phone. In this post, we will provide an overview of these techniques, and a few tips on how to recognize them and make sure your data doesn’t fall into the wrong hands.
By reading this article, you’ll notice that whoever coined some of the most popular social engineering terms must have really been into catching fish (see also below: baiting). The term “phishing”, in fact, is a metaphorical spin on the word “fishing”, as this type of attack is based on casting a digital “lure” hoping that someone out there will “bite”, sharing sensitive information, or downloading malware.
There is a broad range of phishing emails out there, with varying degrees of sophistication and complexity. The simpler ones are very low-effort and deliberately written in poor English to attract only the most vulnerable people. The cleverest are quite complex, imitating almost perfectly the design and email style of legitimate organizations.
A more refined version of phishing is a technique called “spear phishing” (of course!), which is adopted by criminals looking to obtain specific information by sending highly-targeted, customized emails. This technique is particularly effective, as attackers research their targets in advance trying to understand their profile and weaknesses in order to trick the victims, resulting in a link-click success rate of up to 50%. The professional social network LinkedIn in particular is favoured by ill-intentioned, as it can provide plenty of valuable information about the target.
Every person who owns an email address should familiarize themselves with the few, simple tricks they can use to spot phishing emails, from looking for a generic recipient rather than the addressee’s real name, to being suspicious of bad grammar, to hovering with the mouse on links to verify their legitimacy.
If you want to know more about the most common types of phishing scams, we suggest you read this excellent Tripwire article on the subject.
“Baiting” is a social engineering technique as old as time. If fact, you might have heard about a classic example back in school in the form of the tale of the Trojan Horse: the massive wooden statue that the Greeks built to sneak into the city of Troy.
Modern world baiting attacks can also rely on physical objects (for example USB drives containing malware or a keylogger) that are abandoned in the hope that a naïve passer-by will pick one up and plug it into a device.
The strongest defence against baiting is educating yourself – never trust equipment found “lost” in the world such as USB drives and avoid using any public charging stations to charge devices. It is also important raising awareness of this and other types of social engineering scams in the work environment as part of the corporate security training plan.
Moving on to another water-related metaphor, this type of attack is often used to target a specific group or people interested in a certain topic. Attackers will look for weaknesses in the security of websites that are popular within that group and attempt to infect those with malware.
The name “watering hole” comes from a specific behavior observed in the natural world: a lion hiding in wait at a watering hole, waiting for unsuspecting prey.
In this case, the attackers know that a certain website is likely to be visited by a user interested in the subject or niche, and that the user trust the website – a combination which means that the victims are more likely to trust the malware being served by the site.
The best line of defense against watering hole attacks is ensuring you have a good general computer security hygiene. A good starting point is to keep up to date with anti-virus updates and being skeptical, even with sites you usually trust.
We’re sure you’ve met one or two Nigerian princes at some point in your life. After all, who hasn’t received an email written in questionable English by self-declared African royalty promising you a large sum of money in return for a little financial help?
Well, this classic online scam, also known as “Nigerian 419” (from the section of Nigeria’s Criminal Code which condemns the practice), is an example of a social engineering technique called “pretexting”.
Pretexting attacks are used to acquire confidential information by creating a “pretext”, a fake scenario where the attacker pretends to be someone else, to trick people into giving away information (or money) voluntarily.
For example, attackers could pose as recruiters for a modelling agency offering attractive compensation for new glamour models. In order to be officially signed up, the unsuspecting victims are asked to provide a nude shot of themselves that they would normally keep private. Attackers also often pose as support agents, asking to be given access credentials in order to provide their fictitious services.
A good way to avoiding pretexting attacks is to always verify the identity of unsolicited callers requiring access to your accounts, or to your premises. The first step could be consulting the company directory to verify that the caller is an approved support agent, or a vendor affiliated with the business. It’s also helpful to keep in mind that support technicians or inspectors very rarely “volunteer” their services without first scheduling an appointment, as they are often too busy to spontaneously offer assistance.
Once again, a healthy dose of skepticism and a few minutes’ research may go a long way in avoiding these types of attacks.
“Piggybacking”, also known as “tailgating”, is an offline engineering technique targeting companies, primarily small and medium businesses (SMEs).
The main goal of piggybackers is to acquire physical access to a business’ premises without proper authentication. To do so, they often pose as delivery drivers or contractors, waiting for an oblivious employee to follow (“piggyback”) inside the building. The unauthorized visitor will wait for a member of staff to use their access card or obtain security’s approval and will use this to their advantage by asking the employee to hold the door.
Smaller businesses are particularly vulnerable to this attack, as security measures tend to not be as strict, and there is often only one door to separate the attacker from the company’s restricted areas. That doesn't mean, however, that larger businesses will not be targeted.
Tailgating can be prevented by instructing all employees not to let any visitors into the building unless authorized, regardless of how friendly and professional they appear.
We hope that the influx of cybersecurity-related news in 2018 prompted you to take a hard look at your password list (just kidding: you shouldn’t have one, it’s very dangerous. Use a password manager instead!).
In a previous blog post, we discussed how to create a strong, unique password as a starting point to protect your data. Using more than 10 characters, including numerals and special characters, and avoiding any reference to important dates or the names of beloved pets are all good practices to minimize the risk of getting hacked.
The hard truth is, if you don’t follow this advice and decide that you’d rather have a password that’s easy to remember rather than a more complex one, you are also making it easier for hackers to predict your future behaviour. Hackers can use what they already know about your passwords and creation patterns to predict your routine, guessing your new passwords based on past formats.
As a company that sells remote access software, we are very keen on educating the people that we interact with about cybersecurity. Overall, when it comes to protecting your data, it’s always worth the hassle of investing a little bit of time to comply with best practices to avoid future regrets.
Have you ever tried to buy an item online, and found out that one or more additional items have been added to your basket by default? Or have you tried to unsubscribe from a newsletter, only to find yourself navigating through deceiving, strangely-worded tick boxes trying to figure out which combination of clicks will finally get you removed from the contact list? If the answer is yes, you have fallen victim to dark patterns.
Unlike most of the previous examples, dark patterns are not necessarily a mean of stealing your data, but more a way to make you take (or not take) a certain action. Dark patterns are a manipulation tactic that doesn’t involve interaction or communication between the parties, but applies social engineering to a user interface in order to funnel the victims in a particular direction.
Airlines, especially those who label themselves as “low cost”, seem to be a particular offender, trying to get customers to agree to small upgrades such as priority boarding and travel insurance, by making these options look like part of their standard offers.
Social media platforms are also guilty of adopting dark patterns to gain access to the user’s contact list (LinkedIn, we’re looking at you!), or to make you agree to unnecessary terms and conditions in order to use the app. These terms and conditions might include access to your location, contact list, and other personal information that the service provider should not need.
Dark patterns might be particularly tricky to avoid, especially because they change over time once users become more aware of them. A bit of education, however, goes a long way. Here is a really good Lifehacker article about how to spot and dodge dark patterns.
Social engineering attacks are constantly evolving and changing shape, so there is no one-fits-all strategy to prevent becoming a victim. Overall, the most useful preventative measure appears to be common sense.
Refusing to give away your username and password should be standard practice, regardless of the alleged job title of the person who is requesting it. Remember that real support agents should already have legitimate means to access your accounts without having to ask for credentials.
Always use antivirus software, and if you have doubts about the legitimacy of a file, ask a member of your IT staff to check it for you: they should be able to let you know whether it’s corrupt, so you can avoid taking any risk. After all, it’s better to be safe than sorry.