It’s your lucky day! You’ve just received an email from a Nigerian Prince, and only you can help him claim his lost inheritance! Despite the fact that Nigerian politics take place within a three-branch, federal republic framework modeled after that of the U.S. — complete with a democratically elected head-of-state (a.k.a. President) — you still jump on the chance to do a good deed and maybe make a little side-cash. After all, it’ll make the perfect humble-brag for this year’s Christmas letter, right? Well, that depends: how jazzed are you by the idea of your wife’s judgy, second cousins knowing you just fell victim to a textbook case of social engineering? Considering the last time Nigeria had traditional state royalty was 1963, the answer to that question should probably be “none; none jazzed at all.”
Social engineering comes in many forms and flavors, but the way most of us are familiar with it is in the computing sense. Instead of taking the time to hunt for vulnerabilities in your technology, scammers and thieves go straight to the squishy, flappable, all-too-trusting source: You. In the context of information technology, social engineers employ deceptive tactics to manipulate you into revealing personal information you otherwise would not (e.g. credit card numbers, or passwords). Often, this information is later used for fraudulent purposes.
The reason social engineering works is because the human brain is an imperfect computer — fast as it may be when properly fed, our source code is flawed. The qualities we hold in the highest esteem — like empathy, kindness, and trust — are easily used against us; our worst fears just as exploitable by those who’d see us harmed.
Here are a few examples of common social engineering attacks to be on the lookout for, and how to avoid getting caught up in them:
You receive an email from a reputable source, like your bank or credit card company, suggesting there’s an issue with your account. Or maybe it’s a coworker having trouble with their company login: could they just use yours, just this once? In reality it’s a fraudster posing as someone you trust in an attempt to get you to divulge sensitive information. The malicious emails and websites used in phishing attacks can be incredibly convincing, and for good reason: they want you to take the bait.
How to prevent it: Don’t bite. Trust nothing. Not even that random email from your Great Uncle. Instead, verify whether a problem actually exists by going directly to the source. Manually enter your bank’s actual web address. Call your coworker to double check. Text your uncle to see whether that strange web link attachment actually came from him. It’s not paranoia anymore. It’s self-preservation.
An email that appears to come from a trusted source contains an attachment or web link containing a malicious payload. When clicked, the malware or virus is delivered to your computer. This is how the majority of end users fall victim to ransomware attacks.
How to prevent it: Don’t click. Just don’t. Don’t take the bait. If you receive an unsolicited attachment, err on the side of caution until you can verify its fidelity.
A pop-up appears while browsing the web. Oh no, your computer has been compromised! You have all the viruses! All-too-conveniently, the company associated with the pop-up has just the solution. They offer tech support! Often coming in the form of an email or phone call as well, this common scam plays on our worst fears in to get us to cough up our credit card information — always for software we do not need. In a wild exposé of scareware tactics, podcast Reply All released a critically acclaimed two-part episode following co-host Alex Goldman’s attempt to track down and confront his own would-be tech support scammer. In person. In India.
How to prevent it: Good news is, it’s not possible to scan a computer from a browser window, so you’re safe to call the bluff and close the pop-up. If a difficult bit of code makes it difficult to do so, you can open task manager and kill the browser window that way. If that doesn’t work, a hard reboot should do the trick. In the case of a phone call or email, simply ignore it.
You find a flash drive on the sidewalk outside your work. “Sweet, free flash drive!” you think. You insert it into your work computer, helping a hacker bypass your company’s IT defenses as the unwitting mule for a ransomware delivery.
How to prevent it: Don’t pick it up. Don’t bring it home. If it seems too good to be true, it is probably is.
Quid Pro Quo
In an especially nasty version of baiting called a Quid Pro Quo attack (Latin for “something for something”), a hacker calls your staffers posing as an employee of your Managed IT Services Provider. The company system is being updated this afternoon, they say, but before the patch can be rolled out the company-wide anti-virus software needs to be temporarily disabled. Not wanting to be difficult, because time is of the essence, the staffer helps them out… and the hacker uses the lapse in security to take control of your system. In another common variant, the employee might be promised a free gift in exchange for login credentials. As ridiculous as it sounds, it works.
How to prevent it: Educate your employees so that they won’t fall victim to these types of ploys. Advise them to immediately report any calls or emails with quid pro quo requests to a supervisor. Most (if not all) MSP→client relationships involve designated point-people. If the staffer receiving that call is not the person who typically interacts with your managed services provider, they should be very suspicious.
Spotting social engineering tactics is not always easy, and that’s by design. Scammers and hackers want you to believe them. Like the confidence men you’ve seen on TV, it’s all a big hustle.
If you asked anyone what the biggest external threat to a company’s well-being is, you’d be all but guaranteed an answer of “hacking.” In many respects, they’d be right. But it’s not necessarily computers we should be most concerned about: it’s how easy it is to hack a human.
Social engineering is a complicated beast to tackle, with roots in email SPAM and your classic computer hack. Understanding how to combat it and preserve your company’s cyber defenses requires an educated team of end users. In our next post, we’re going to dive deeper into the differences between social engineering, SPAM, and hacking; how they overlap; how to recognize them; and what proactive steps you can take to ensure your company never falls victim to any of them.
After all, the best defense is always a good offense (and knowledge is the best way to get there).
Contact JNT TEK today for ways to educate and train your staff on scam detection and prevention.