By: Michael Harris
What is Social Engineering Attacks? In Layman’s term, it is a process designed to trick victims into handing over confidential or sensitive information. Attacks typically involve events that tap into the psychological components of human behavior. Simply put, as humans, we have feelings and as such, it is these feelings that hackers target. Attacks can occur over a variety of different communication mediums targeted at invoking fear, urgency, or other similar emotions that compels the victim to share sensitive data. Let us look at three different methods in which Social Engineering attacks can occur.
PHISHING – Scammers are taking a more comprehensive approach to stealing your data. Over the past few years, Phishing emails have been the most prominent. Phishing is the practice of attempting to obtain users’ credit card, SSN, online banking, or any other personal identifiable information. Phishing emails often incorporate “Email Spoofing”. For example, a “phisher” may send an email that looks as if it is coming from the bank’s or credit card company’s administrative department, asking the user to log on to a Web page, which is really a site set up by the “phisher”. The goal is to get the user to enter passwords, account numbers, and other personal information. More recently, hackers have used known passwords from previously compromised websites to gain the attention of the victim, stating they have access to the victims browsing history and their web camera. This type of blackmail is geared toward coercing the victim to pay a ransom to not be exposed.
VISHING (Voice Phishing) – Vishing is essentially the telephone equivalent of email phishing. It is aimed at tricking you into releasing sensitive information and/or paying for fraudulent services. Some of the most prominent “vishing” that I have seen have been automated calls with computerized recordings from the IRS. Others will pretend to be from your banking institutions advising you of fraudulent activity, while some actually involve live humans attempting to gain access to your PC.
SMISHING – (SMS Text Phishing) - Smishing is the TEXT equivalent of Email Phishing. Many times this type of phishing will include a brief message with a link to a malicious site or a phone number. The messages can impersonate all types of services. According to the Pew Research Center, 77% of Americans own a smartphone. Smishing can be extremely effective because the attack occurs over the victims “mobile” device, taking advantage of peoples’ false sense of security with their device. Most people are aware of the security risks involved with suspicious emails; however, this is not the case when it comes to text messages.
Because social engineering attacks involve the human element, there will always be an exposure. So what can a company do? Well for starters, ensure that all electronic systems are up to date and have the latest security “patches” installed. People can become complacent, and in the fast-paced world where multi-tasking is, a pre-requisite, best practices and common sense are the first things to go out the window. The best defense is User Education, constantly communicating with your employees of new threats keeps them “on their toes” and situationally aware.