Hackers use highly advanced techniques to hack into people’s computers or accounts. FALSE!
The most common way cyber attackers use to steal your information it to trick you. I hope to educate you on ways in which hackers try to gain access to your system without you suspecting anything is going on.
What is social engineering and why is it so effective?
Social engineering, in the context of information security, refers to psychological manipulation of people into performing actions or divulging confidential information. A type of confidence trick for the purpose of information gathering, fraud, or system access, it differs from a traditional “con” in that it is often one of many steps in a more complex fraud scheme. Wiki
Please do not think that social engineering is something new. It has been going on for years! Let’s think back 10 or even 20 years ago when the phone ran and you did not have caller id. Yes, back in the day we did not know who was calling us if you can imaging that! I voice on the other side would great you with a warm hello and tell you that you have be selected as a finalist to win a prize. All you need to do it verify some information for tax purposes if you are the winner of the prize money. You are filled with amazement because you have never won anything in your life. After a few questions, the caller states that they have all the information they need and will be contacting you at a later date. If you have gotten that far into the call, your identity has just been stolen!
Today it is even easier for cyber criminals to get access to your personal information. If you do not believe me, think of the security questions that your online bank asked you to fill out in case you forgot your password. Now log into your Facebook account and tell me if all that information is available to everyone. I would say for the vast majority it is. And this is the society in which we live in. Where you are so reluctant to give your phone number to a cashier at a store but you will put all your personal information online for everyone to see.
Another form of social engineering is phishing. This has nothing to do with real fish but rather email for the most past. You receive an email from UPS stating that your Amazon package is currently being held at one of their warehouses. All they need for you is to follow the steps in the email attachment. This to most people would not hesitate to download and open the attachment even if they have not recently purchased something from Amazon. But by using big names like Amazon and UPS the email looks and feel professional. You even see that the email address is from UPS Shipping <email@example.com>. This is not a real UPS email address! if you notice is it ups.urgentpackages.com, which means the email is coming from urgentpackages.com, not ups.com. Some email address are so close that you will hardly notice they are not coming from the correct address. What about firstname.lastname@example.org. This is supposed to be coming from email@example.com but the attacker is using 2 n’s instead of an ‘m’ for the last character.
For those of you whom work in the financial sector you may have gotten an email from your CEO that is all in CAPS stating that they are going to loose their biggest client because the following wire transfer was not completed. Before you think, you are sending the wire instructions to the account number indicated only to find out that the sender is not your real CEO and you have wired a couple hundred thousand dollars to some off shore account in the Bahamas. Whoops! 🙁
I want to circle back to phone scams. I love to vacation out of the country on a nice beach! Who doesn’t. 🙂 It was to my surprise that I kept getting phone calls from a local number that I did not know. So after the 5 or 6th call I decided to pick it up. The callers after 3 seconds states ‘sorry, I was adjusting my headset, can you hear me now?’ I said yes. They then told me that I was eligible for an all inclusive stay at a 5 star resort. They stated that they got my information from a recent resort that I stayed at. At that point I was thinking the place in Mexico. So they want on about how excited they were to be calling me and that they just wanted to ask me a few questions before they can transfer me to another agent to being booking my stay. I am thinking that it is another time share that wants me to sit in on a ’90 minute’ presentation. I told then to hold on for one minute and they responded, ‘I’m sorry, I did not get that. Can I ask you a few questions before I transfer you to an agent.’ And then it clicked. The whole time I was thinking I am talking to a live person I was actually speaking to a recording. At which point I began thinking about what I had said and what information I may had accidentally provided. In letting the scam play out, it asked me for my date of birth so that it could verify that I was of age to sign a contract. I told the computer February 29, 1981. (FYI, that date does not actually exist). It then wanted me to verify my mailing address so that all the documentation can be sent next day. I told them 1 East 161st Street Bronx, NY. (You may know this address and the old Yankee Stadium address). I was also asked for a credit card number to hold my entry to which I replied that I did not have it one me. They asked again and I replied the same. The call was then disconnected. Had I not caught on, I may have provided a bit more sensitive information that I would have wanted.
Social engineering happens to all of us. Here are some ways to protect you against it!
- If someone is creating a great sense of urgency, they are looking for you to make a mistake. Keep calm and try not to over react.
- If someone is asking for information that they should already know, such as an account number. Ask to have a number that you can call them back on.
- If someone asks for your password. No one should ever ask you for your password. And if they do, do not tell them even if they are threatening with loosing your job. If they need access to your information, IT can reset you password for them.
- If you receive an email from a colleague or friend stating that they are in trouble and need you to send money by clicking on a link. Spelling mistakes are a dead give away that the email is bogus. And if they were in such need, why did they write and email to you an not just call?
I hope that these tips help you avoid being the victim of social engineering.