Social Engineering: How Hackers Take Advantage of Human Behavior
Social engineers take advantage of human behavior to pull off a scam. Social engineering is the art of manipulating people, so they give up confidential information. The information they are trying to get will differ, but when you or your employees are hit, the cyberhackers are trying to dupe you into giving up access to your systems, your bank information, or your passwords, so they can infiltrate your computer or covertly install malware or other malicious software.
Kevin Mitnick a reformed hacker and noted cybersecurity expert says: “social engineering is using manipulation, influence, and deception to get a person, a trusted insider within an organization, to comply with a request, and the request is usually to release information or to perform some sort of action item that benefits the attacker.”
The weakest link in cybersecurity is always the human aspect
The reason these cybercriminals use these tactics is that it is easier to exploit people’s natural predisposition to trust. It is often easier to get private information using physiological tactics against people, instead of using software to hack a network or system. Using people is always faster and profitable!
Social engineering is all about trust!
Cybersecurity is all about who you can trust! It’s knowing when to believe a person and when not to. You need to know exactly who you are talking to. Is this person for real and legitimate, or are you not sure? It’s easy for busy employees to get caught up in a busy day and trust a source that they weren’t sure of…it happens every day!
It does not matter how many cybersecurity programs you purchase if your people aren’t trained to learn who and what to trust regarding cyber-hacking and cybersecurity then your company will continue to be totally exposed!
Social engineering is one of the greatest threats organizations face
It is a non-technical method of intrusion that relies on human interaction. Social engineering bypasses all security and gets the attacker right on the network. Often it is used via the phone and a hacker convinces the employee to give remote access to the computer over the phone. Some of the things a criminal hacker might say or try and accomplish include:
- They will try and build trust with the individual
- “Hello, this is Terri from Microsoft” (of course they aren’t from Microsoft!)
- “Hi, this is Robert from Comcast…”
- They will convey a sense of urgency or create fear!
- “Your computer has a virus…”
- “Your account has been compromised…”
- “You owe the IRS back taxes and will go to jail!”
- They will be ready with details on your business or account
- They will have a fake badge or agent number
- They will have the name of your manager
- The way they speak may not be a giveaway
- Callers will even impersonate a police officer to get people to leave their houses!
How is your company at risk?
Social engineering has become a way for a criminal to successfully penetrate your company or organization. Once this hacker or “social engineer” has the trust of an employee, he gets their password and can simply log in and begin hacking. With the right password or credentials, a cybercriminal can breach important data, steal important assets, and do some real harm!
People want to trust …that is one of the biggest vulnerabilities that these attackers will exploit. Most people want to help, especially if they get an email from a coworker asking for help, or a phone call from an expert that asks for their assistance.
Most people want to be kind…that is how a social engineer will get employees to give them sensitive information. They don’t want to be hard to deal with, crabby or non-responsive, instead, they want to be courteous and are taught to be helpful, especially customer service people.
Many people will react to an urgent request …especially if they think it is coming from a person with authority. So, a cybercriminal understands this and poses as that authority and tells you your system has been compromised, that “so and so” (manager or owner) is furious and you need to help them fix the problem right now!
How will cybercriminals use social engineering to hack your system?
Cybercriminals are becoming very sophisticated and very brazen when it comes to hacking your business and your network. Even though there are many ways that these criminals will attack you, the 3 main ways they will use social engineering include:
- Using the phone
- The internet
- In-person at your office
On the phone a social engineer may call you up and pretend to be a fellow employee, manager or trusted IT professional…some have gone as far as posing as law enforcement officers! They also will study your company and use industry or common language to make you believe they are an insider. They also may use your hold music to make you feel they are part of the system, or even “spoof” your phone number, so it looks like they are calling from inside the company or another branch.
Online social engineering has been made simpler because of the social networking sites employees are using. Cybercriminals can use sites like LinkedIn to learn details about all the employees, including personal habits, likes and dislikes, making it easy to pose as an insider. And because of these sites, social engineers can mount an attack in minutes, versus the days or weeks, it used to take before these social sites were involved!
Physically penetrating your office is also something that has been used for years, especially before the internet and social platforms were available! Cybercriminals will buy clothing that mirrors your companies clothing, or even create a logoed shirt and then wait until someone will let them in a sensitive area. Once in, they have free reign to get onto a computer and create a lot of havoc! Criminals know that employees want to be courteous, knowing that they don’t want to be perceived as difficult by asking them to prove who they are.
How to defend against social engineering
No matter how much money or expertise your company puts into cybersecurity, including encryption, password protection, firewalls, or virus software, one of the easiest ways criminals will get in is through the vulnerability of humans!
But there are many things a company can do to help their employees protect themselves and the company’s assets, including:
- Educate everyone on the problem
- Train employees and managers on security issues
- Review existing processes and procedures
- Be aware of the information you are releasing
- Create a policy and follow it up with awareness training
- Keep your software up to date
- Give employees a sense of ownership regarding cybersecurity
- Watch for questions that don’t fit the situation
- If you’re not sure, verify…especially identities!
No matter how much expertise and money you put into your network security to prevent data theft, including firewalls, security appliances, encryption, etc. — the human element always remains vulnerable to hackers who apply social engineering techniques.