How Social Engineering is Hacking Humans

social engineering.jpg

It was a truly epic hack. Private files of the heads of several American intelligence agencies were downloaded and published. Stolen items included descriptions about “harsh intelligence techniques” used by the government, confidential voicemails of security officials, and private information about the identities of 3,500 US law enforcement/military personnel.

Considering the sensitivity of the hack, it seemed obvious that brilliant hackers had stolen secrets from people using advanced technology and sophisticated hacking techniques.

However:

  • The brilliant thief was a 15-year-old self-described “pothead” (New York Daily News).

  • The advanced technology was a telephone.

  • His sophisticated hacking technique was calling a help desk, pretending to be the client, and asking for a password reset.

  • The naïve victims included the CIA Director, Secretary of Homeland Security, and FBI Deputy Director.

This is the world of social engineering—i.e., tricking people out of private information. It’s cheap, easy, and terrifyingly effective.

Follow the money. It was here a moment ago.

In the above example, government secrets were the target. However, Verizon’s 2018 Data Breach Investigations Report (DBIR) states that 76% of hacks are about money.

No one is sure how much is stolen, but the estimates are staggering. Juniper Research  predicts the costs of hacking will be $2 trillion by 2019. Because Verizon’s DBIR says that human errors were at the heart of 17% of hacks, the costs of social engineering could be $340 billion.

Below are some of hackers’ favorite ways of using social engineering.

“Your account has suspicious activity. Please click this link to log in.”

“Phishing” emails pretend to be from a friend, fellow employee, or someone who is distant and feared, such as a CEO. They may have links to fake websites, such as phony banks, which can steal passwords, account information, credit card numbers, and login names. Companies that run phishing tests have found that as many as 30 to 40 percent of employees will click on a scam email.

“Hi. I’m from support. What’s your problem?”

A successful hack may start off with a phone call. A hacker calls random workers at a company, claiming to be from technical support. Eventually, the thief contacts someone with a real problem. The worker, grateful to be getting help, lets the hacker access their computer. The attacker then installs malware, which steals secrets.

“We’re here to upgrade your computer.”

Social engineering can happen at your place of work. Criminals say they’re there to do repairs or upgrades. They present a phony work order and then simply walk out with the computer. Another tactic is to post a notice on a workplace’s bulletin board with a fake service desk number. Hackers have been known to leave USB drives lying around in public places at businesses. Employees who find the USB drive think they have gotten a free storage device. When they plug it in, they infect their company’s computer with malware.

You are not an idiot.

When people get tricked by social engineering tactics, it’s not because they are stupid or uninformed. The leaders of the CIA and the FBI weren’t naïve; they lacked security awareness.

Security awareness is more than just learning. All the information in the world will do no good if people do not act on it. For people to do the right thing at the right time, they need to be trained.

Security awareness training programs should be carefully prepared. A sloppy, rushed approach is a waste of everybody’s time. A good program will:

  • Find the company’s weakest areas.

  • Create an atmosphere of trust. Don’t blame the victims; train them.

  • Establish clear rules for handling sensitive information.

  • Train employees about the dangers that are relevant to them.

  • Strengthen training with surprise testing and other events.

  • Be interesting. People remember more when they pay attention.

The good news is that social awareness trainings can be very effective. Companies with well-thought-out trainings have reported large drops in successful social engineering attacks, as well as increases in safe security behavior by employees.

To learn how to protect your workplace from social engineering, check out our Trial here.

Jason Hoenich