Just recently, I had a great podcast with one my business partners. The topic of discussion was the Solar Winds fiasco, and our main points of conversation were about how it happened, what we have learned from it so far, and the best way in which Corporate America can move forward. I learned a lot more about this Cyberattack than I did before from this conversation.
For example, I did not fully realize the magnitude or
breadth of the attack. It just was not
businesses that were impacted, but also many government agencies (both at the
federal and state levels), educational systems, nonprofit organizations, and in
fact, even all of the military branches of the United States as well. But keep in mind that there is still a lot
more coming out on this, and the podcast has only touched upon a surface of it.
Based on this, the common theme with Cyberattackers has
primarily been to use newer, and of course, much sophisticated and covert
threat variants based on the profiles of the existing ones. Probably the best example of this are the
Phishing attacks. Ransomware, BEC
attacks, etc. are not new threat variants of themselves, but rather, they are
crafted from the first strand of Phishing that ever occurred.
This happened way back in the late 1990s, when AOL became
the first publicly known company to have been impacted by a massive Phishing
attack. Since then of course, the
Cyberattacker has over two decades to finely tune their craft in this regard. But believe it or not, there is still yet
another threat variant out there that is no being used much more heavily, which
also dates or even predates back to the era of Phishing.
This is what is known as “Social Engineering”. Put in simpler terms, these are the
techniques that a Cyberattacker uses in order to strike a certain human emotion
so that you will give in to what they are seeking. Typically, they are fear, and a sense of
urgency. Today, Robocalls, Smishing
attacks (these are Phishing attacks done via texting to your Smartphone) and
even phony snail mail letters are the main vectors that are used.
After all, why spend time trying to create a digital form of
attack when all one has to do is merely pick a phone number, build up some
level of rapport with the receiver of the conversation? Then once this has been established, all the
Cyberattacker has to do is just strike upon the right emotion level with the
unsuspecting in order to garner the information that they are seeking.
So, you might be asking at this point, what are some of the
variants of Social Engineering, just like how they are for Phishing? The
following are just a sample to get started with:
*Trust:
In our every day lives, trust is something that all human
beings in the end cherish to have. For
example, it’s a great feeling to have when you know your boss or you colleagues
can trust you to get the job done. Heck,
this is even particularly true when it comes to dating. It can take some time for that level of trust
to transpire between a man and a woman, but when it does, boy does it feel great!!
LOL. This is how the Cyberattacker in this instance works. At least when it comes to the business
setting, they will often call, or even send letters to a lower ranking member
of the company, such as the administrative assistant. They know that people with this job title are
very often overworked, and very often feel undervalued. Thus, in an effort to bridge this gap, the
Cyberattacker will literally “smooth talk” this individual by trying to build
up a level of trust of them. As just
mentioned, knowing that we have this feeling of trust also makes us that much
more vulnerable, and so when the moment is right, the Cyberattacker will use
this ploy in order to extract as much confidential information as possible.
*Being Helpful:
Apart from trust, we humans also love it when we know we are
being of help to another individual when they are in need. As a result of this, the number of Robocalls
have increased greatly, in which the caller pretends to be someone in need or
needs some particular information that you have that will make whatever is
affecting them (hypothetically speaking) go away. But this has been such an overused tactic,
that the Cyberattacker will most likely not use this, unless there is a very
rare event which occurs, and affects literally the entire human race. The best example of this is the recent
COVID19 pandemic, in which millions of Emails and fake websites were set up
asking for money and donations. In fact,
even when you are on Social Media, be extra careful of people asking for money,
especially on those “Go Fund Me” pages.
As in everything else in life, only give money to those individuals and
entities that you know of and are familiar with. It is very important to note that sympathy-based
attacks is one of the prime threat variants in this regard.
*Fear:
This is the complete opposite of the above two. When it comes to striking fears into us, one
of the biggest pain points are getting those Emails saying that our financial
accounts have been compromised, and that we must take action now in order to
correct what has happened. I get these
all of the time, most especially from PayPal.
An interesting trend to note is that these kinds of Emails usually don’t
come out until the wee hours of the night.
This is when our guard is typically down, and we are often too bleary
eyed to take stock of what is really going on, and thus, we become a victim
when we log into that phony website.
Another huge fear tactic is that of getting calls and letters from the
IRS, which are the snail mail based.
These letters look so real and genuine that it is almost impossible to
tell what is fake and what is not. But
keep this cardinal rule in mind: The
IRS, or for that matter, any legitimate financial organization, will never ask
for your confidential information. If
you receive any calls or snail mail letters like this, always contact the
organization in question to see if they have even sent it in the first
place. Also, if something like this ever
happens to you, just take a few minutes to calm down, in order to let the
initial feeling of anxiety and fear go away, so that your logical mind will
resume control. In other words, don’t
shoot your gun first and then ask why you did later on.
*Optimism:
Heck, given the times that we are in now, who does not want
to be hopeful for the future, right?
This is yet another ploy that the Cyberattacker uses ever so
cleverly. By default, humans are built
and wired to be trusting of others, from the moment we are in born. We humans never feel that we could be taken
advantage of, because of the way we have been raised. But this is also one of our greatest
vulnerabilities as well. In fact, making
somebody feel optimistic not only about themselves but also their futures as
well is one of the best ways for the Cyberattacker to get into their personal
information and data. In fact, this is a
ploy that is heavily used in the recruiting and network marketing
industries. There is often the promise
of a great job or making millions by simply signing up for a program and paying
a considerable sum of money for it. In
the end, all that you are left is with a drained bank account. The cardinal rule to be remembered here: It sounds too good to be true, then it
probably is.
*Honesty:
As the old saying goes, trust is built upon honesty. So in an effort to be accepted by others and
society as a whole, we always want to be honest. In fact whenever we lie, there is always that
horrible feeling of guilt in the end (well, at least for the most part). While being honest is a very noble thing, it
too is one of our greatest vulnerabilities as well, and this is something that
the Cyberattacker will take pure advantage of as well. Now of course, if a total stranger
approaches, our guard will be higher up, and naturally the feeling of being
honest may dissipate in order to protect ourselves. But the Cyberattacker knows how to manipulate
the conversation so that innocently, you will give out the right pieces of
information. They very often start this
by making some very casual, false statements about you, in an effort that you
will unknowingly correct it. If this
kind of conversation comes up, you can always ask the person asking you these
questions why they need to know it in the first place.
My Thoughts On This
Well, there you have it, some of the top ways in which a
Cyberattacker can get into mind and emotions in order to get what they
want. While there is no software package
available out there that can protect you in this regard, your best line of
defense is always trust your gut. But at
the same token, don’t live your live like a hermit. Go out there and enjoy it, but always be
careful in what you say and do, but easier said than done, I know this for a
fact!!!
No comments:
Post a Comment