Contributed by Robin B. Saunders, Director of Graduate Programs in Communications and Information Management & Miroslaw Nowak, Masters Candidate Cybersecurity Management
Ever unknowingly bite into a hot pepper, thinking it was of the mild variety, and then had to endure the pain of your mistake? If so, you're familiar with the concept of social engineering. It's popping up everywhere these days, and its burn is a lot harder to quell.
What is Social Engineering?
Social engineering is a serious threat - it is a carefully planned attack feeding on the vulnerability of human nature to trick otherwise unsuspecting users or employees into handing over confidential or sensitive data. As Kevin Mitnick, author of The Art of Deception states, “the human element is the weakest link in otherwise technologically strong security defense. It is evident that regardless of how technologically secure a network can be, the human element will always be its proverbial Achilles heel.” In other words, people are trusting and willing to help others, and these attackers use that to their advantage.
Have you ever received a phone call or email from people giving free credit card offers?
Have you ever mistakenly clicked on a link that took you to a fake website?
Have you ever received an unexpected call from someone claiming to be from the IRS?
Have you ever clicked on a Facebook message claiming that a famous celebrity had just died?
Well…. you might have been the victim of a social engineering attack.
How a Social Engineer Stole $28 Million Worth of Diamonds
In 2007, a man stole $28 million worth of diamonds from an Antwerp bank. He carefully planned the robbery, becoming one of several trusted diamond traders with access to the vault. The suspect had been a regular customer at the bank for the past year, using a stolen Argentine passport and giving the name Carlos Hector Flomenbaum. He used his charm as a weapon to gain the confidence of the bank employees.
The social engineer employs the same persuasive techniques the rest of us use every day. We take on roles. We build credibility. We call in reciprocal obligations. But unlike most of us, the social engineer applies these techniques in a manipulative, deceptive, highly unethical manner, often to devastating effect. Carlos bought chocolates for the personnel of the bank, he charmed them, got the original set of keys to make copies, and received information on where the diamonds were. The bank had a rather sophisticated security system, but it was rather useless against this particular case of social engineering. People can be very easily distracted. Often, they are stressed out, overworked, tired, and security may be the last thing on their mind. How often do employees leave their workspace with a computer that is logged-in with their credentials to get a coffee or cup of water? Sometimes, those little things could be the most dangerous ones.
How You Can Protect Yourself
Be suspicious of unsolicited contact from individuals seeking internal organizational data or personal information.
Do not provide personal information or passwords over email or on the phone.
Do not provide information about your organization.
Pay attention to website URLs that use a variation in spelling or a different domain (e.g., .com vs. .net).
Verify a request’s authenticity by contacting the company directly.
Install and maintain anti-virus software, firewalls, and email filters.
If You Think You Might be a Victim
Report the incident immediately.
Contact your financial institution and monitor your account activity.
Immediately change all of your passwords.
Everyone is a target. Stop. Think. Connect. Protect yourself and help keep the web a safer place for everyone.