Social Engineering
How to Stop Social Engineering, Phishing Attacks, and Identity Theft
What is social engineering?
In a social engineering scenario, the attacker (bad actor) uses human interaction through social media, email, or some other form of communications to obtain targeted information. These bad actors typically claim to be a new employee, repair person, or researcher and can offer false credentials to support their story. By asking questions, the bad actor may be able to piece together enough information to accomplish their mission. If an attacker is not able to gather enough information from one source, they may contact another source within the same organization and rely on the information from the first source to add to his or her credibility.
What is phishing?
Phishing is a method part of social engineering while the bad actor uses email or malicious websites to solicit information by posing as a trustworthy organization. For example, the bad actor may send email seemingly from a reputable company (Netflix, Amazon, Bank of America), often suggesting that there is a problem. When users respond with the requested information, the bad actor uses it to piece personal information together or have enough to gain access to the target’s accounts.
Phishing attacks may also appear to come from other types of organizations, such as charities, political affiliations, or a friend’s email. Attackers also often take advantage of current events and certain times of the year, such as
- Natural disasters (e.g., Hurricane Katrina, Indonesian tsunami)
- Epidemics and health scares (e.g., H1N1, COVID-19)
- Economic concerns (e.g., IRS scams)
- Major political elections
- Holidays
What do they want?
In simple terms, someone wants access to confidential information you may or may not have part of your personal life or career. In most cases:
- Your Username
- Your Password
- Date of Birth
- Social Security Number
- Bank Account
- Identifiable Sensitive Information
The Attackers / Bad Actors Goal
- Character Defamation
- Financial Gain (ransomware)
- Corporate Sabotage
- Fame
How does an Attacker, Hacker, Bad Actor make money?
The estimated cost of ransomware attacks has increased from $8 Billion in 2018 to $20 Billion in 2020.
What exactly is ransomware?
A type of malware that encrypts company data and holds information for ransom. Typically, hackers either encrypt data and make victims pay for a key or threaten to leak sensitive information.
How to improve your network defense?
- Keep your operating system patched and up to date to ensure you have fewer vulnerabilities to exploit.
- Do not install software or give it administrative privileges unless you know exactly what it is and what it does.
- Install antivirus software, which detects malicious programs like ransomware as they arrive, and whitelisting software, which prevents unauthorized applications from executing in the first place.
- And, of course, back up your files, frequently and automatically! That will not stop a malware attack, but it can make the damage caused by one much less significant.