When you envision a hacker stealing passwords and social security numbers, you likely picture someone in a dark room typing frantically into a computer, breaking through firewalls, and decrypting database records. But thieves tend to be lazy, and hacking through layers of security is much more complex than getting someone to hand over their password. That’s why every organization needs to be aware of “social engineering”, a blanket term that involves various techniques to exploit human psychology to gain access to an organization’s digital and physical assets. Below is an overview of the most common social engineering techniques and how to avoid them.
Phishing is when a target is contacted by an individual impersonating someone with the intention of stealing personal information. Various types of phishing exist, including:
- Deceptive Phishing – Mass emails are sent pretending to be a legitimate organization. The email includes imitations of brand logos and shortened links redirecting to a malicious website.
- Spear Phishing –Targets a specific person and could contain personal information, including the person’s name and job title. It may come in the form of a phone call or email, often requesting the person click through a link, download an attachment, or provide personal information.
- Whaling – Similar to spear phishing, but targets executives of an organization. The goals of whaling are often to authorize financial transactions or request W-2 information to file fake tax returns.
Phishing attacks are difficult to fend off. We’re raised to trust someone calling or emailing us will be the person they claim to be. When receiving an email from an unknown source, don’t download attachments or click links with a destination you don’t recognize. Reach out to the organization the person claims to represent and confirm the email or phone call is genuine. And finally, never give personal information, including your username and password, over the phone or through email.
Baiting / Quid Pro Quo
Baiting attacks occur when a person inadvertently compromises their security for a free gift. For example, someone could hand out free USB drives containing malware or promise a free gift card if you fill out a form containing personal information. Similarly, quid pro quo involves a hacker doing a favor for one person, then requesting a favor that compromises the organization’s security in return.
Prevent baiting and quid pro quo by staying vigilant against free gifts – never giving away personal information or compromising security just because you feel you “owe” someone.
In pharming, a hacker redirects traffic from one IP address to another. The hacker sets up a fake website that looks legitimate and waits for users to access it and enter personal information – passwords, credit card numbers, and more.
Users can avoid pharming by only accessing secure websites with HTTPS in front of it. Most browsers display a lock to the left of the URL when a site is secure. Organizations should also keep antivirus software up to date since many antivirus providers can detect pharming attacks.
Tailgating occurs when a person physically gains access to a building simply by walking in with someone who has access. This often involves asking someone to hold the door or pretending to have lost a keycard. Once inside, the person can physically access resources, including files left in the open and unlocked computers.
To prevent tailgating, implement policies to only grant access to one person at a time. Even though it feels polite, resist the impulse to hold the door for others. Inside the building, store files in a secure place and always lock your computer when leaving it unattended.
Don’t wait until personal information is in the hands of hackers to react. Be proactive and mindful of risks, secure your devices, and delete any requests for personal information or passwords. Contact DragonSpears to help turn security into a mindset embedded throughout your organization.