There are many different forms of hacking that people use every day to get desired data from their unsuspecting victims. They employ a number of techniques covering both high-tech gadgets and powerful software.
However, there is one type of hacking that uses the lowest-tech means possible, and which is also very effective: social engineering. Social engineering thrives by focusing largely on human psychology. Instead of the hackers clacking away at their keyboards for hours, they are in fact spending time interacting with other people in order to get them to give up their precious information.
In fact, social engineering is much closer to a “con game” than to what many consider to be hacking. The con men and women may appeal to their target’s vanity, authority, or greed to convince them to give up that information. These con artists also rely on people’s willingness to help others.
There are many methods that social engineering hackers employ to get what they want. Let’s look at three of the most popular forms.
Baiting is social engineering with the least amount of human interaction (pretty much none), although it involves natural curiosity.
In this scheme, the hacker leaves a USB or similar device, of course infected with malware, in a place where there’s a high chance someone will find it. That person then takes it and out of curiosity puts it in his or her computer to see what’s on there. And, voila, the malware is installed.
If it’s in an office setting, then the malware has a chance to get into important systems and files.
One popular baiting attack was actually a test by security expert Steve Stasiukonis on a financial company which was his client. What his team did was infect USBs with a Trojan and left them in the parking lot. Many curious workers picked up the USBs and put them into their computers. This activated a keylogger and it gave Steve the employees’ login information.
This is possibly the biggest one (for its scale). Phishing is when hackers or some nefarious organizations send fake emails disguised as legitimate ones (usually from some authority site) to get you to either share personal, valuable information or click on a link.
There are limitless examples of this one, such as what almosthappened to our colleague when she received an email claiming to be from PayPal. Luckily, she was able to see the intermediate site before she got to the final, PayPal-imitating site. If she hadn’t seen that middle site, she may have given up her PayPal credentials.
There’s also the case of the Snapchat employee who gave up important information via email to a person claiming to be the CEO of the company.
One popular pretext is for a hacker to call up one department and claim to be from another department. They will be in some emergency or bind, and need to quickly get some (seemingly trivial) information or access very quickly. The other person (whom the hacker has some research on) eventually gives up the information.
One thing to remember is that this hacker is not going after just the main target. Instead they will go up the ladder of authority until they get what they want if that main target is too difficult to get by itself.
One of the most famous cases of pretexting would be the News of the World scandal, when members of the press fooled phone operators into handing over their PIN codes which allowed those journalists to eavesdrop on the royal family’s voicemails.
There are certain parts of social engineering that you can protect yourself against. We’ve already covered how to protect yourself against phishing/spear phishing attempts. You can read that here.
In order to protect yourself or your company against other parts of social engineering, you’ll need to carry out what’s known as penetration tests. These can be on the network, computer system or other related things. But they can also be used on the employees themselves, to see which ones are more vulnerable to these attacks.
Besides that, it is always recommended, as always, to be vigilant and aware of your surroundings. If something seems suspicious, it more than likely is. In these situations, it’s always best to practice extra caution, especially when working with very sensitive information.