Getting “Hacked” Series: Part 1 - Social Engineering
The word “Hacked” is thrown around a lot these days but unfortunately, it’s in a similar pool with the phrase “life hack” where more of a generalization than anything specific.
When you look up the meaning of “Hack”, in this context, it is an act or instance of gaining or attempting to gain illegal access to a computer or computer system.
There are other additions to this meaning as well, such as gaining information, not just access which often times can be even more valuable to someone.
There are many different methods to hacking. With each post in this series, we’ll be doing a deep dive into the method as well as ways to spot and avoid getting caught up in them. In this post, we’ll be focusing on Social Engineering.
What is Social Engineering?
Social Engineering is an attack using human interaction to obtain or compromise information about an organization or its computer systems. Typically, the attacker will seem unassuming or even respectable, possibly claiming to be a repair person, researcher, new employee, etc. and even as far as offering credentials to support their identity. By them asking pointed questions, they may be able to put together enough information to gain access to an organization’s network. If a they are unable to attain enough information from one source, they may contact additional sources within the organization and rely on the information provided from the first source to add to their credibility.
Like most types of manipulation, this is built on false trust and then persuasion. Typically, there are 4 steps to successful social engineering attacks:
Preparation - The social engineer gathers information about their victims, including where they can access them, such as on social media, email, text messaging, etc.
Infiltration - They approach their victims, usually impersonating a trustworthy source and using the information gathered about their victim to validate themselves.
Exploitation - Uses persuasion to request information from their victim, such as account logins, payment methods, contact information etc., that they can use to commit their cyberattack.
Disengagement - They stop communication with their victim, commits their attack, and swiftly departs.
Depending on the type of attack, these steps could span over the course of hours to months.
Social Engineering Tactics to watch out for:
Making an urgent request.
They don’t want you to think twice about their tactics. That’s why many social engineering attacks involve some type of urgency, such as a sweepstakes you have to enter now or a cybersecurity software you need to download to wipe a virus off of your computer.
Your ‘friend’ sends you a strange message.
They can pose as trusted individuals in your life, including a friend, boss, coworker, even a banking institution, and send you conspicuous messages containing malicious links or downloads. Just remember, you know your friends best, and if they send you something unusual, ask them about it through an alternate means than how “they” contacted you.
Your emotions are heightened.
The more irritable we are, the more likely we are to put our guard down. Social engineers are great at stirring up our emotions like excitement, fear, curiosity, anger, guilt, or sadness. In your online interactions, consider the cause of these emotional triggers before acting on them.
The offer feels too good to be true.
Ever receive news that you didn’t ask for? Even good news like, a free cruise or winning the lottery? Chances are that if the offer seems too good to be true, it’s just that, and potentially a social engineering attack.
You’re receiving help you didn’t ask for.
They might reach out under the guise of a company providing help for a problem you have, similar to a tech support scam. Considering you might not be an expert in their line of work, you might believe they’re who they say they are and provide them access to your device or accounts.
The sender can’t prove their identity.
If you raise any suspicions with a potential social engineer and they’re unable to prove their identity for example, they won’t do a video call for instance, there is a high chance they are not to be trusted.