Cybersecurity is not all about technology, many times the human factor is the weak link. Social engineering is all about deception on one level or another. Interestingly it has quite a bit to do with tactics Spies have used for centuries, somehow gaining trust or at minimum not drawing into question something or someone who then can perform a potentially nefarious act. In many cases the bad guy never uses technology.
In the physical world, an example is entering a work building from a side door where you scan in a cardkey for access, but a bad actor will follow someone in- this is called “tailgating” an so many people don’t even think to check to see if that person which is walking in behind them is actually supposed to be there. Basically, the bad actor in this case is trying to look like they belong, they will be dressed like an employee with a backpack and maybe looking distracted by faking being on a phone call as they walk in the door. Now you are in the building and you can look steal things or snoop around, maybe take some pictures of strategy printouts on the wall etc.
In Cybersecurity it specifically means to use human skills to somehow manipulate a target individual into allowing the bad guy to do something bad. When combined with technology we see this rampant, scammers will use pop up advertisements which look like legitimate Windows, Android, or Apple Operating System error messages which state there is some kind of urgent issue with the machine but just call this toll-free number and someone can help. Then you are connected to a scammer who pretends to be from Microsoft or Apple, and they walk you through a process to steal information.
Another approach is something you have likely experienced, a phone call that somehow states something is wrong and an agent will help you but only for a “limited time only” or something like that to shift you away from thinking about it being fishy. It is much like a shell game; distraction is the key.
With technology of course you can be attacked via text messages, direct messages on social media, E-mail, or phone calls. There are many tips out there but some to keep in mind:
- Caller ID should not be trusted, bad guys can make their phone numbers appear to be anywhere (this is called “spoofing”)
- Training is huge If you are in business, ensure your teams are trained in security; if you are an individual read up on the attacks and be a bit wary
- “Too good to believe” don’t trust offers of bizarrely discounted software or services where you just need to “install this small app.”
- Know that tech support is not going to call you out of the blue, if you need tech support verify the number to call for a given company and use that number.
- If you are the subject of an attempted messaging or E-mail attack, take a moment and really look at the link they are sending you to—In just about all cases it’ll be a website you’ve never heard of.
- No one should ever ask you for your password.
- No one should ever ask you to download software onto your machine.
- In the workplace, be sure people ‘swipe’ their keycards to get access- it is fine to ask someone to is trying to tailgate to swipe in
May times social engineering is a way to get your to unwittingly install malware on your device, see my article on Malware here https://ericcrichardson.com/2021/01/20/cyber-smart-the-malware-family-and-attacks/amp/
Technology can be risky yes, but the human factor is so very often the tool of choice these bad actors use when attacking. Social engineering is often considered one of the very highest areas of risk to securing our technology.
Eric C Richardson 