Would you give your account number to a stranger? Most probably not. But millions of internet users may as well be giving away their personal data (and money!) when using passwords that hackers can crack in a matter of seconds. Password managers provide methods for creating and managing truly secure passwords.
Any computer specialist will agree that security is top priority at all levels of the OSI model. But often the biggest threat doesn’t come from within the network, but instead from the fictitious layer 8: 40 cm in front of the screen, where human users interact with technology. Cyber criminals have worked out how to manipulate typical human character traits and behavioural patterns like helpfulness, trust, respect, pride, gratitude, aversion to conflict, or fear, in order to gain illegal access to IT systems – a method known as social engineering that threatens billions of people every year. For companies, it’s essential to train employees accordingly, and to provide clear guidelines for dealing with confidential information.
What is social engineering?
You can have the most secure password in the world, but it counts for nothing if it’s given out freely to strangers. Social engineering consists of a range of psychological tricks used in a form of industrial espionage to obtain important security information from employees. Attackers use this information to then infiltrate a company’s IT system and gain access to protected data. This is known as social hacking, the complete process of using social engineering successfully. In addition, social engineering is used to coax employees into taking careless action. This could be by tricking them into installing unknown programs or carrying out questionable financial transactions. Direct contact between the perpetrator and the victim isn’t a prerequisite either. E-mail phishing is an indirect form of social engineering too. Another traditional technique is a call from an alleged system administrator requesting a user password for troubleshooting purposes.
How does social engineering work?
While the idea of social engineering might sound banal at first, it’s actually been proven to be one of the most effective methods of infiltration. The reason for this is because there are certain positive and negative character traits that exist in almost everyone. So, in the majority of cultures, it’s considered socially desirable to come across as nice, considerate, and helpful. Many people find it difficult to refuse a request in what they believe to be an emergency situation. Others will always try to cooperate out of fear of reacting incorrectly in unknown situations.
The following YouTube video demonstrates that even a seemingly overwhelmed mother and baby cries can be enough to persuade the customer service assistant of an internet company to disclose sensitive customer data:
But it’s not always the good qualities of human behaviour that are the focus of manipulation experiments. Pride in your own work or the success of the company can also lead everyone from employees to CEOs to brag and reveal sensitive information – for example in a staged interview, to customers, or when meeting new job applicants. It’s also often the case that a tendency to avoid conflict can lead people to go against critical safety regulations. But the strongest motive for all irrational actions is fear. An example of how fear could be used in this case could be through a fake supplier threatening to cut off the internet for the afternoon unless he’s provided with information about the router and its configuration. If a caller uses lots of relevant, specific terminology and a sense of urgency and threat, it can put a lot of pressure on employees, particularly ones with a low technical understanding. Social hackers also take advantage of employees’ fears of their superiors: a popular technique is to send fictitious payment instructions by e-mail, pretending to be a boss.
When trying to make their victims feel comfortable, hackers usually pose as colleagues, bosses, or applicants. But if they’re trying to take an external approach, fraudsters will sometimes pose as associate service providers, carrying out customer satisfaction surveys or research for an institute, interested potential partners, or even disgruntled or confused customers.
Social engineers don’t always restrict themselves to one-time interactions either. And some take the approach of chatting away with small talk to make the employee feel at ease, or ask certain routine queries first to make the approach more believable. These techniques usually work by creating a level of trust and understanding between employee and hacker, with the hacker offering up plausible questions and fitting information about himself/herself to the point where the victim is subconsciously convinced the hacker can be trusted. Remember: These attacks are usually meticulously planned and researched. Some popular sources of information for this background research include the company website and social networks like Facebook or LinkedIn. And in extreme cases, hackers have been known to go one step further and carry out ‘dumpster diving’, meaning they rummage through a company’s trash looking for any business documents that have been thrown out.
Despite techniques like dumpster diving for research purposes, most social engineering attacks are carried out by e-mail or over the phone, because these methods require less technical effort and more anonymity. But this doesn’t mean that these are the only dangers for your company. Revealing business secrets, passwords, or other access tips in public places like bars, cafes, or restaurants can put your company at risk, even if it’s during a relaxed atmosphere with other colleagues about seemingly innocuous things like figures, work processes, or customer contacts. Employees regularly receive business calls on their private mobiles and often feel open and comfortable discussing business-related matters in public with no regard for who might be listening.
Scareware: automated social engineering
A software-based variant of social engineering based on special malware programs that scare users into performing certain actions. This is known as ‘scareware’. Programs like this usually work as follows: the software makes a sudden and alarming threat that appears on the user’s screen, while offering a simple solution, just as your operating system would. The threat is fake, and the solution actually winds up giving important security information to the attacker. Scareware usually dominates the centre of the computer screen when it appears too, to take advantage of our tendency to simply click ‘continue’ or ‘ok’ when messages pop up on screen. They usually take the appearance of common brand names and logos that we recognise too, to try and trick you into installing damaging software that can access your personal information.
As an example, scareware could disguise itself as a free antivirus program, designed to inform the user upon installation about a range of fictitious computer viruses and to protect the computer via a full version that can be downloaded for a nominal fee. If the user enters payment details, the warnings are simply turned off.
Scareware doesn’t even have to infiltrate your computer operating system. In some cases, you can be tricked by a pop up or another form of animation on a website that warns you you’ve fallen victim to hacking and suggests a solution. The ‘defense’ being offered here usually is the actual attack – often facilitated by making you download damaging software in a Trojan horse technique. A variation of this attack pattern is to display the fake error message as a browser warning rather than a web page notification. This can be more successful because users tend to trust their browsers more than web pages.
Protective measures for companies
When it comes to protecting your own company from social engineering, the most important thing is to make your employees fully aware that they have access to confidential information. Training is an effective way to build awareness of the topic of economic espionage, as this gives you a chance to explain common attack patterns like the ones mentioned above and their consequences for staff and the business. It’s also sensible to create a set of strict rules regarding the handling of sensitive company data to add to your existing code of conduct in the workplace. Every employee should be completely clear on which information is considered secret, where sensitive data can be used, and how it should be properly stored.
Standard procedures for administrative activities can also be used to offer employees protection and guidance on how to behave in critical situations. For example, if every office worker knows that it’s strictly forbidden to give out any personal passwords from the company’s IT network over e-mail or telephone, even if being asked by a manager or colleague, then it will become harder for hackers to obtain this information.
Since social engineering relies on human error, it’s difficult to entirely eradicate the dangers of it through preventative measures. There’s always a possibility that hackers will manage to work their magic, but you can make it more difficult for hackers to access your sensitive information if you make sure to consider the following points:
- Keep a healthy suspicion of strangers in business: the bigger a company is, the easier it is for criminals to pass themselves off as colleagues, service providers, or other business associates. Protecting yourself from this danger can to an extent be done by simply keeping a healthy suspicion of people you don’t recognise. Sensitive data should only be offered to colleagues whose identity can be confirmed. By making a point of getting to know every new employee and having regular team events, you can help build your knowledge of coworkers and employees, to make sure you’re never caught out.
- Don’t offer private details over the phone: as a rule, sensitive information should never be given out over the telephone. This is especially true for incoming calls and with unknown communication partners. Even seemingly unimportant or incidental information can be used by hackers who are collecting information about your company’s operation so as to trick an employee further down the line.
- Be wary of e-mails with unknown sender addresses: if the sender of an e-mail can’t be easily identified beyond all doubt, approach with caution. All employees should report the e-mail to a manager or a member of the IT department before sending any response. If the message contains an unusual or unexpected call to action, for example a request for an outstanding payment, it’s very important to check the authenticity of this claim before proceeding with the request.
- Be on the lookout for strange links or e-mail attachments: time and again, internet users find e-mails in their inbox containing links to forms or web pages asking for data. Hackers use techniques like this to get hold of banking information, passwords, or customer numbers. But in the business world, practices like these are completely unnecessary. Serious banks, online shops, or insurance companies would never ask you to open a separate web page and enter sensitive information. Be aware of file attachments in e-mails too. These could contain spyware or malware which starts installing in the background and gives hackers external access to your system. You can minimise this risk by making sure that employees only ever open attachments from trusted senders.
- Ensure data protection on social networks: a lot of preparation and work goes into most social engineering attacks long before the actual hack takes place. Along with information on the company website, fraudsters often use the data made readily available on social networks in order to create a believable backstory for a manipulation attempt. In general, the rules is as follows: the more information about themselves that employees or coworkers offer on social media, the more vulnerable they are to the dangers of social engineering. By making your employees aware of this fact, you can increase the chances of them using private settings on sites like Facebook, Instagram, or Twitter. There’s also the option of setting mandatory restrictions in your office’s code of conduct, though taking away employee freedoms isn’t always recommended.
The complexity of the topic and the diversity of approaches taken by hackers makes it impossible to prepare staff for all types of social engineering attacks. But through regular training exercises and educational seminars on the importance of data protection, you can raise awareness of the potential danger posed by cyber hackers. However, preventative measures should never go too far. If they start to harm team spirit, create an atmosphere of general mistrust in colleagues, or create fear of mistakes, then they’re more trouble than they’re worth.