You’re just sitting at your desk, minding your own business, trying to get some work done. You’re not a powerful executive or someone with access to the corporate jewels. Still, cybercriminals are targeting you. And you may not even know it until it’s too late.
A new report from Intel Security, “Hacking the Human Operating System: The Role of Social Engineering Within Cybersecurity“, details the latest persuasion techniques that cybercriminals are using to manipulate people like you into doing things you wouldn’t normally do, leading to the compromise of corporate data and the loss of corporate funds.
According to the researchers at Intel, social engineering activity largely falls into two categories: hunting and farming. Hunting is where the hacker tries to extract information using minimal interaction with the target – say, a phishing email. Farming is where the hacker attempts to establish a relationship with the target and gather information over a longer period of time.
You may think you’re not important enough to be in a hacker’s crosshairs but report author Raj Samani, vice-president and CTO for the EMEA with Intel Security, told ITBusiness.ca that you’d be wrong.
“If we look at the majority of major breaches they’ve not targeted administrators, but ordinary employees,” said Samani. “The bad guys will try to get a foothold into an organization when someone clicks a link, infecting them with malware. Then they’ll scan the environment, look for people with higher privileges and target their attack.”
The entry-point could even be from outside your company; partners in the supply chain can also be a way inside an organization’s IT systems.
Most commonly, Samani said cybercriminals will employ one of three tactics, or a combination thereof: authority, scarcity and obligation. They’ll try to make you perform an action, which may seem innocuous, by either making you believe they’re in a position of authority, that a ticking clock requires a quick action, or that you owe them a favour.
An e-mail from your bank saying your account has been suspended and prompting you to take action, for example, is both an authority-based attack (you trust your bank) and a scarcity-based attack (I can’t access my bank account).
“Across phone and e-mail, authority is the most prevalent hook, but it’s also the easiest to spot,” said Samani. “If I phone you up and say I’m the CTO for Bell I’m using authority, but I’m also confronting you with that information.”
You can easily call back Bell to see if the request is legitimate, or call your bank to verify the e-mail – if you even have an account at that bank.
Farming-style attacks are more difficult to spot though. They could be gathering publicly available information about you from social media, befriending you on Twitter, LinkedIn or Facebook. Follow me back is a common example of cybercriminals using obligation as an attack vector. Their account seems innocuous, they’ve followed you on Twitter or written you a recommendation on LinkedIn; you feel the social obligation to reciprocate. At the least, this can give them the social capital to appear more legitimate and ensnare others; it also exposes your personal information and can open you up to direct-message based malware attempts and other attacks.
Most of these threat vectors aren’t new; just the delivery methods are. Samani points to the Hare Krishna movement, which would give a stranger on the street a flower as a gift. The recipient then would feel a social obligation when they ask for a donation. It did wonders for their fundraising.
While your IT department will have technology and policy in place for data security, at the end of the day people – you – are the first and best line of defence. Samani’s advice is, when in doubt, always verify and validate.
“Phoning back is a good start. So is looking at the number being dialed. And organizations are always going out and saying they’ll never ask for your password or credentials,” said Samani. “Simply not clicking links is a good start. As a rule, I never click on links in emails. Employ common sense, and have a policy of not opening attachments or double-checking to make sure they’re legitimate.”