Social Engineering – The Next Big Security Attack Vector

Advanced anti-malware programs have made it more difficult for hackers to break into systems or take over your personal computer.  This includes programs that not only look for fingerprints of known malicious threats but also those that identify new or custom malware before vendors can create and push out new virus definitions.  Another big advancement is multi-factor authentication (MFA).  MFA means a hacker needs to have a potential victim’s username and password, but also access to their mobile device to enter a security code via text message or an authentication app. MFA utilization has resulted in a 95% drop in account takeovers!

But that doesn’t mean everything is rosy on the security front. There is too much money at stake for the hackers to just fold their tent and seek legitimate work.  It is a cat and mouse game with software developers and security engineers trying to stay at least one step ahead of their schemes.

Hackers are turning their attention to the weak link – system users – IE your staff. Here are some of the types of social engineering attacks they will try to employ:

  • Phishing – Tricking people via phone, email, and/or social media into giving out sensitive information such as username/password to things like bank accounts, VPN, and internal systems not protected by MFA.
  • Baiting – A type of attack where the hacker poses as a senior executive to trick an employee via a phone call, text message, or email. They ask the victim to do bank money transfers or use a corporate credit card to buy a large number of gift cards and give the hacker the tokens off the cards.
  • Tailgating or Piggybacking – Gaining access to your office by walking in behind another staff member or talking their way past a guard or receptionist by pretending to be somebody official like an HVAC technician or inspector.
  • Pretexting – Calling/texting/emailing pretending to be somebody in authority like an IRS auditor and intimidating a potential victim into giving out financial or personal information such as a social security number or bank account information.
  • Honey Trap – They can even go so low as to pretend to be romantically interested in the victim and lure them into an online relationship and persuade them to reveal private details or convince them to give them money to help the scammer out of a hard situation.

How can you avoid becoming the victim of one of these schemes?

  • Be aware that hackers are using these techniques to lure victims into these traps. Train your teams to be vigilant and on the lookout for situations that don’t seem right.
  • Independently verify information in a text or email before acting on it. For instance, call the CFO directly and ask if they sent you the text.
  • Train staff to not let anyone ride in behind them when entering the building and directing them to your reception area. If they push their way in, do not attempt to stop them!  Call the police and alert management of the situation.
  • Use multi-factor authentication on all systems that support it.

You and your team are the most important links in the security chain.  To use a superhero reference, you need to have a “spidey sense” which is an intuitive feeling of something being dangerous or risky to prevent these attacks.