When you see hackers on TV, they’re always digital experts. They aggressively tap keyboards in darkened rooms, taking down firewalls and infiltrating networks by cracking computer code and breaking security protocols. As you might guess, this has little to do with what successful real-world hackers do. Many modern hackers don’t even primarily attack computers. Instead, they attack people, overcoming security hurdles through social engineering attacks. The most successful hackers pair knowledge of computer security weaknesses with knowledge of human weaknesses, combining the two to overcome security and gain unauthorized access.
What are social engineering attacks?
Social engineering attacks are a nefarious technique used by cyber attackers to gain your trust. By imitating trustworthy sources and exploiting human psychology, hackers manipulate you into freely divulging confidential information. Anyone and everyone is vulnerable to this type of attack. By learning some common social engineering attacks and how to prevent them, you can keep yourself from becoming a victim.
Phishing attacks are by far the most common form of social engineering attack. Most commonly, an attacker imitates an email from a party that you trust. For example, they might create an email that imitates a message from your bank. That email might look exactly like your bank’s emails, and it might seem to come from an email address owned by your bank. But if you take the action the email demands to unlock your account, you’ll be walking right into the attacker’s clutches. An especially popular phishing attack pretends to be a personal contact requesting you visit a Google Drive link.
To combat phishing attacks, double-check any suspicious emails through a separate communications channel. If you get an email from your bank requesting you contact them, do not use the information contained in the email. Instead, find your bank’s phone number on their official website and call them to confirm the validity of the communication. If you receive an unusual email from a friend or colleague, send them a separate email or call them to make sure the email is legitimate.
Watering Hole Attacks
Watering hole attacks are more subtle than phishing attacks. They rely on embedding malware within an otherwise trustworthy website that the target already visits. This starts with a technical exploit in the website’s code, but it’s only successful when the victim clicks on a poisoned link. It’s one of the tougher social engineering attacks to protect yourself against, but it relies on the user’s tendency to trust otherwise suspicious information if it appears on a trusted site. It helps to be aware of suspicious-looking content, no matter where you see it.
In pretexting attacks, attackers create a false scenario designed to manipulate targets into giving up information. One common technique involves attackers requesting information to confirm your identity. Advanced versions of this attack might even convince victims to take actions that will allow hackers to access a secured network.
As a rule, you should never give sensitive information to anyone who calls or emails you unexpectedly, and use respectful caution with strangers. If your job involves sending sensitive information, make sure you follow company protocols to the letter: they’re typically designed to protect against these scenarios. These social engineering attacks rely on you bending the rules “just this once.”
Tailgating attacks rely on how quickly most people build trust to gain access to physical locations. Digital security is often weaker at the office or data center itself. If attackers can gain physical access, the security barriers will likely be lower.
By striking up friendly conversations and acting like they belong, attackers can talk their way into secured areas. Common stories involve lost key cards or, better yet, technical support requested by upper management. The name comes from the most rudimentary form of the technique: following a stranger closely to “sneak in” behind them when they swipe a key card to open a door.
Be politely cautious about the identity of all strangers, and never help strangers to access a secured location, even if they look legitimate. This goes doubly so for unexpected repairmen or utility workers.
Attackers sometimes “bait” individuals by offering something they want. For example, attackers might offer free music, movie or pornography downloads. These downloads, of course, contain malicious programs. You’ll find this frequently in illegal torrents or other copyright-subverting downloads. Because targets want the bait, they won’t be as suspicious of even obviously-malicious programs. Attackers might also leave mysterious USB drives lying around, hoping a curious soul will plug one into their computer and allow the auto-running malware to dump its payload. Only an idiot would do that, you might think, but not so. A disappointing security study of social engineering attacks did exactly that, and many users plugged the USB drive into their computers solely out of curiosity.
Always question deals that seem too good to be true, both digitally and physically. Avoid free music or movies, and get your adult material from reputable sources. If you do plug a mystery device in to your computer, you deserve whatever you get.
How to Protect Yourself
You can prevent yourself from most social engineering attacks by slowing down and thinking before you act. Be friendly but cautious with strangers requesting even innocuous information, and raise your general level of suspicion. Don’t believe a story just because it sounds good or the source looks credible. Double-check supposed authorizations and permissions with the source directly, through your own method of contact. And, of course, never provide confidential information, or access to that information, to unknown parties.
You might also like the following posts: