network coverage logo
SALES OFFICE 888.800.0433
SUPPORT: Boston 978.739.8060
SUPPORT: Wash. D.C. 703.997.9747
SUPPORT: Salt Lake City 435.200.9995
SUPPORT: Chicago 312.626.6160
SUPPORT: Nashville 615.647.6417
SUPPORT: Raleigh 919.833.9717

Social Engineering: A Hacker’s Best Friend

In the movie Focus, Will Smith stars as Nicky, a clever conman who uses the power of social engineering to strategically remove valuables from his completely unsuspecting victims while also training Margot Robbie (Jess) how to be a better con artist. While dancing in the street, Jess flirts with a man while keeping him distracted long enough to slip his wedding band off his hand and onto hers.

Social engineering isn’t just quick cash grabs or grand larceny in the physical sense. It’s also an incredibly powerful tool used by cyber criminals to infiltrate otherwise secure businesses successfully. No amount of firewalls can keep an intruder out if that intruder is already within the protected environment. Is there anything that can be done to prevent social engineering attacks? It all depends.

How Social Engineering Works

Social engineering is a practice where people, usually in physical form but sometimes digitally, trick their peers into performing some self-infliction that allows them to be taken advantage of. A typical example is a criminal who pretends to do a magic trick but ends up stealing from the trick’s participant instead.

In the cyber security world, social engineering is a lot less glamorous in most cases but potentially even more dangerous. We’re sure you’ve seen the spam emails in your inbox that claim you’ve won some sort of prize or that your online shopping account needs a password change. This type of social engineering attack involves phishing, a practice where unsuspecting recipients are tricked into entering information or clicking a malicious link through seemingly official means. It’s common for phishing attacks to target user emails, but it has also graduated to text messaging, social networking sites, and fake websites.

Famously, Target was the victim of a phishing attack that saw 40 million credit cards get stolen. An HVAC technician contracted to Target fell victim to social engineering and opened a malicious email. Attackers used the Target credentials from the HVAC tech to gain access and deploy the malware across Target’s system. What’s worse, the malware that was released is pretty standard and easily detectable by most business antivirus systems. However, the final nail in the coffin was the security center in Minneapolis ignoring the security breach even after being notified. This led to more the 70 million customers having their information stolen.

Other forms of social engineering can include completely offline and in-person attacks, such as stealing or copying hardcopies of passwords on sticky notes or employee notebooks. While these may sound like rudimentary attacks, they are the most dangerous since attempts to infiltrate the security system happen from within. When someone can pose as an employee at the location that will be authenticated, this eliminates the most challenging part: Tricking your victim.

How to Prevent Social Engineering Attacks

  1. Check the Sender’s Email or Phone Number

Social engineers frequently use authentic-looking communications to pull off phishing attacks. With the exception of spoofing, most low-level social engineering attacks use incorrect email addresses when posing as fellow employees or vendors. The same goes with phones; if the number looks suspicious, it probably is, especially if they’re asking for some sort of login information when you have not requested a password reset, for example.

  1. Secure Login Credentials

Security measures like two-factor authentication can severely hinder a cyber criminal’s ability to gain access to user accounts. However, many times the attack happens in person. In this case, the would-be criminal only needs to find an unsuspecting victim that has left their login credentials visible to the public. Enforce strict policies stating that there’s no writing down physical passwords, and be sure to have a good password change policy, such as a new password every 60 days.

  1. Admittance Policy

While network security is obviously essential, unauthorized access to your business’s property can be one of the fastest ways for a social engineer to wreak havoc on your company’s data. That said, attendance policies, vetting outside contractors for third-party vendors, and developing a keen eye for malfeasance will go a long way.

When Being Social Isn’t Fun

Social engineering is a powerfully deceptive tactic that criminals can use to extract both physical and digital assets from you or your company. Industry-best cyber security practices and procedures can help to sort these attacks in their infancy. Still, it’s important to remain diligent, especially when it only takes seconds for an internal attack to happen.

Leave a Reply

Your email address will not be published.

Blog Categories