Scams aimed at manipulating individuals for fraudulent purposes have been occurring for centuries, but this deception has now well and truly moved into the digital world. Social engineering, in the context of information security, refers to psychological manipulation of people into performing actions or divulging confidential information for the purpose of a broad spectrum of malicious activity. Social engineering theft or ‘hacking the human’ is a trending exposure in Australia and globally today. Most breaches are caused by employees opening phishing emails that have already made it through existing technology defences.
Often, it can take months to find out the organisation’s operating system have been compromised. Clicking on one phishing email can enable a criminal to infiltrate the company’s system, escalate their access and privileges, and steal the company assets, clean out the bank accounts, or develop fake invoices.
The cyber crime of social engineering has developed because of human fallibility. While technology has changed, people have not and can be psychologically manipulated because of their desire to be helpful and their attitude to authority.
Phishing attacks are the most common type of attacks leveraging social engineering techniques. Attackers use emails, social media, instant messaging, and SMS to trick victims into providing sensitive information or to visiting a malicious URL in the attempt to compromise their systems.
Phishing attacks present the following common characteristics:
- Messages are composed to attract the user’s attention, in many cases to stimulate their curiosity providing some information on a specific topic and suggesting the victim visit a specific website to gain further data.
- Messages often present a sense of urgency in the attempt to trick the victim into disclosing sensitive data to resolve a situation that could get worse without the victim’s interaction
- Attackers leverage shortened URL or embedded links to redirect victims to a malicious domain that could host exploit codes, or that could be a clone of legitimate websites with URL’s that appear legitimate
- Phishing email messages have a deceptive subject line to entice the recipient to believe the email has come from a trusted source. Attackers usually copy contents such as texts, logos, images, and styles used on legitimate website to make it look genuine.
Social Engineering Recommendations
Hackers who engage in social engineering attacks prey on human psychology and curiosity in order to compromise their targets’ information. With this human-centric focus in mind, it is up to users and employees to counter these types of attacks.
Here are a few tips on how users can avoid social engineering schemes:
- Do not open any emails from untrusted sources. Be sure to contact a friend or family member in person or via phone if you ever receive an email message that seems unlike them in any way.
- Do not give offers from strangers the benefit of the doubt. If they seem too good to be true, they probably are.
- Lock your laptop whenever you are away from your workstation.
- Purchase anti-virus software. No AV solution can defend against every threat that seeks to jeopardise users’ information, but they can help protect against some.
- Read your company’s privacy policy to understand under what circumstances you can or should let a stranger into the building.