Google ‘social engineering’, and in 0.53 seconds you end up with roughly 670 million results – give or take a few. Six hundred and seventy million.
In fact, two days ago, I was targeted myself. I received a phone call from +000000000. An automated attendant posing as my financial institution advised me that my debit card had been breached and that I needed to press “1” to be transferred to the security department to reactivate it. My experience with these types of scams led me to just hang up and move on with my day. But many people get trapped by these schemes. So why do so few people know what social engineering is? And why do so many people still get caught up in its web? According to SocialEngineer.org – social engineering is “any act that influences a person to take an action that may or may not be in their best interest.” The organization takes pains not to cast the term solely in a negative light, because “…we feel that social engineering is not always negative, but encompasses how we communicate with our parents, therapists, children, spouses and others.”
A Common Social Engineering Tactic: Chasing the Password Reset
There have been widely reported cases of hackers manipulating high-profile companies like PayPal and GoDaddy support teams to hand out password resets. In one case, wired.com senior writer, and victim, Matt Honan wrote, “In the space of one hour, my entire digital life was destroyed. First my Google account was taken over, then deleted. Next my Twitter account was compromised, and used as a platform to broadcast racist and homophobic messages. And worst of all, my AppleID account was broken into, and my hackers used it to remotely erase all of the data on my iPhone, iPad, and MacBook.” In both of these cases (there are many, many others), the victims were private citizens. But imagine if this were your Fortune 500 company? Your entire organization’s digital life, all of your marketing efforts, wiped out. Worse, your company name used to send out inflammatory and defamatory messages and emails. Here are some statistics:
- In 2012-2013, phishers launched attacks affecting an average of 102,100 people worldwide each day – twice as many as in 2011-2012
- The services of Yahoo!, Google, Facebook and Amazon were most often attacked by phishers – 30% of all registered incidents involved fake versions of their sites.
- Over 20% of all phishing attacks mimicked banks and other financial organizations.
- American Express, PayPal, Xbox live, Twitter and etc. are in Top 30 most targeted sites.
Your Password Can Be Hacked in Seconds
Honan wrote another very detailed article about our reliance on passwords. You should read it. It’s breathtakingly simple for hackers to steal your passwords. And the costs to an organization dealing with a security/data breach are high. “After Sony’s PlayStation account database was hacked in 2011, the company had to shell out $171 million to rebuild its network and protect users from identity theft. Add up the total cost, including lost business, and a single hack can become a billion-dollar catastrophe.” If you think you personally won’t be affected, I assure you, you will be. Dell’s SecureWorks reported a phishing attack that managed to ‘catch’ 1400 executives. Seemingly sent by the Better Business Bureau, this attack required these professionals to download a document. What they actually downloaded was a virus that cleaned out all the data on their computers.
We Are Human and We Are Fallible
And that’s why you need to have security measures and policies in place, and distributed to your staff, from the CEO on down. Use password creation software, and enforce a policy whereby all staff change passwords on a regular basis. Don’t click any links that haven’t come from a known or trusted source. And one of the biggest security measures to remember is actually quite simple: if it seems too good to be true, it usually is. Stanford University has a detailed list of things to avoid on its website. Here are a few you need to take note of:
- Avoid clicking links people send you instead of using a search engine to find the proper link.
- Any time you get a solicitation in email that you did not request – even from a trusted friend – should be discarded immediately. No reputable company works this way.
- Email with misspelled, mispunctuated or bizarrely formatted text or graphic elements is almost surely a scam.
- “Please call this number to verify [xxx].” You’ll get a recording asking you to leave all sorts of useful information. Don’t ever call telephone numbers you can’t first verify.
- Vishing: These same pitches and scams work in airports, for panhandlers, and all sorts of non-computer scammers, too, by the way. Imagine this scenario: ”Hey, Jill, this is Ralph over in accounting. I’ve forgotten [xxx], can you help me out?” Look up their number and call them back.
- SMSiShing: Same idea for text messages are you phone. Don’t believe a bank will text you; call them on an independently verified number.
Be Aware – Always
After that call came in Sunday morning, I did take one action. Since I have children in high school and elementary school with their own bank accounts and smart devices, I used this as a teaching moment for them. And while I’m not positive they understand the impact that a simple phishing call or email can have on their lives, I hope that, at minimum, they know to ask or tell their mother or me when these events occur. In similar fashion, organizations need to educate their personnel on how to identify a potential attack and establish policies and procedures in the event an attacker is successful.