In recent years we have seen more and more conflict on the cyber battlefield. As more attacks and breaches occur, more and more resources go into defensive actions. Firewalls, strong passwords, and updating software are essential to securing the home front. However, when considering cyber defense, you must not forget that the most commonly exploited component is the human. This exploit is commonly called social engineering. Why bother learning the skills to hack into a computer when it is easier to trick, manipulate, or intimidate a person into handing over their credentials? Thoughts like this have led to a surge of hacking by use of psychology. Hopefully shedding some light on what is out there will help you identify these scams before you fall victim to them.
Think of social engineers as related to the classic conman because both use similar tactics. The only difference now is the medium. Social engineers primarily use email due to how simple it is to reach large groups of people. The general term for email scamming is phishing. Just like the conman you will see scare tactics, fake urgency, deals too good to be true, and impersonations. Phishing emails always have a subject line that catches the eye, examples: Cancellation of Health Care Coverage, IRS Tax Inquiry, Bank Account Overdrawn, Get 90% Off New iPad Order Now. You can also expect all caps and excessive amounts of exclamation points. If you suspect an email to be a phishing attempt don’t click any links or attachments. To distinguish between the imposter and the original hover your mouse over the sender address compare it to an email you are certain is from the original. Another indicator of phishing is misspelled words or poor grammar, as these emails are often pushed out quickly. If possible call the company or individual at the number you know is theirs, not any included in the email. When in doubt just delete the message. Standard phishing uses automation and a general message template, so it can be sent to large groups of people. This kind of phishing uses the method of “more lines more bites” but a newer more advanced method of phishing uses a more targeted approach.
Spear phishing is phishing with a personal touch. Typically, they appear to be from or involve someone you know; a coworker, friend, or family member. Social engineers usually acquire this info about you from social media. Thus, proceed with caution even when familiar names are used. The best way to deal with spear phishing is to contact the person mentioned and ask if they know anything about it. Just like with standard phishing if your gut tells you somethings off, delete the email.
Social engineers rely on people’s mistakes. So, the best way to thwart them is to read your emails carefully. Take your time, don’t be intimidated by unwarranted emails, and understand when something is too good to be true. Think before you click!
Trace M. Beethe – IS Intern