When people think of how cyber “bad guys” work, they often focus on phishing. But social engineering is much more than phishing – it’s is an attack on people or organizations through the use of psychological manipulation. Basically, social engineers are con artists. They convince people to divulge information that ultimately will help them gain access to controlled data or areas.
Today’s Focus: Recognizing and Responding to Social Engineering Attempts
Social engineers often rely more on human interactions and emotions than technology. Many social engineers are not even the ones trying to hack into systems. Some are just researchers who are paid to collect information that will be useful to the really bad guys. But no matter who is doing the engineering, it’s being done to ultimately leverage information and trust to gain access.
To help recognize potential pitfalls, let’s break it down.
Most social engineering schemes begin with a pretext, which is a fabricated scenario developed to gain your trust or basic information. It might be someone from IT claiming they need your login credentials or it could be the friendly delivery man who just called out, “Please hold the door”. Whatever role the social engineer has taken on, it’s one designed to play to your humanity or emotions.
The Take-Away? Don’t be trusting. Sounds harsh, but blind trust is what generally lets the bad guys in. Before giving out even seemingly simple information, ask yourself if it feels right and verify the one doing the requesting. Call IT directly to check that your assistance is really needed and politely tell the guy juggling boxes that he’ll need to sign in with security but that company rules prohibit you from holding the door.
Tailgating or Piggybacking
Social engineers use both tailgating and piggybacking to gain physical entrance to somewhere they shouldn’t be. In both cases, the engineer is on your six, either waiting for you to knowingly hold the door open for them (piggybacking) or to slip in unnoticed after you’ve entered a secure area (tailgating).
The Take-Away? Unless you are 100% positive about the person you’re admitting, let the door close in her face. You can always apologize later, but you can’t un-let in a bad guy.
As any dog can tell you, trash is filled with treasures. But instead of hoping for some leftover steak, social engineers are looking for leftover information. Although most people know to shred highly sensitive or confidential information, many are not so careful with things like internal department lists or phone/email lists. Even that employee policy manual that puts you to sleep can be gold. Think about it – you’re much more likely to reply to an email requesting information “required by company policy” if the policy is quoted and others from the department are copied on it.
The Take-Away? Properly destroy everything that isn’t public knowledge.
Social engineers love to play on human curiosity. When we find things, such as a USB drive, our curiosity is piqued. Studies show that many will even plug in USB drives found in unusual places, such as the bathroom floor or parking lot. And that curiosity is even higher if it’s found in a trustworthy spot or when labeled with “Confidential” or other intriguing phrases.
Consider this: Linda comes back from lunch to find a USB drive on her desk and naturally assumes it’s for her. Plus, it’s marked “Cute Cat Videos” and Fluffy just loves those. So Linda pops it into her computer, and now her computer (and the company’s network) has been infiltrated. How did it get on her desk? The bad guy piggybacked his way in. John from accounting started chatting with him in the elevator, and, when he learned the guy was “Linda’s husband, Dale”, John pointed out Linda’s desk before hurrying back to his calculator. “Dale” dropped the USB on Linda’s desk and strolled casually out of the office, happy with his dumpster dive find – the holiday party RSVP list.
The Take-Away? If it’s not yours, you’re not expecting it or you don’t know exactly what it is and where it came from, don’t plug it in. Turn it over to security or IT and let them run the correct paces with it. If it’s meant for you, it’ll come back. And again, destroy things containing company/personal information.
Use of Urgency or Rewards
Other red flags are when things seem either urgent or too good to be true. Someone offering an obscene amount of money for your help? There’s no money. That lady rushing up to enter the building with you because she’s “so late for a meeting” but left her ID card in the car? Chances are there’s no ID card, no meeting, she’s just playing on your sense of compassion.
An Ounce of Prevention …
Although we as humans generally want to be nice, in today’s world you need to be nice with caution.
- Be careful of oversharing. The more someone knows, the more that information can be leveraged to build trust.
- Be deliberate with what you put out on social media or other public sites. Social engineers love using information, such as kids’ names, your alma mater or hobbies to build bonds and gain your trust.
- Engage in small talk, sure, but be wary of anyone who seems to have a lot of questions or a lot of things that seem like a coincidence. Maybe it’s a “small world”, but chances are the random guy in the elevator doesn’t really know your manager’s cousin from Workout World, he’s just done (or is doing) his research.
Always follow company policies and procedures, especially as they relate to requests for sensitive information, disposing of data and entrance to secured areas. Report security incidents, even if you’re not sure they really are incidents. Better to have it checked out than be the one responsible for a breach.