Wednesday, September 8, 2021

5 Social Engineering Attacks The SMB Owner Must Be Aware Of

Just recently, I had a great podcast with one my business partners.  The topic of discussion was the Solar Winds fiasco, and our main points of conversation were about how it happened, what we have learned from it so far, and the best way in which Corporate America can move forward.  I learned a lot more about this Cyberattack than I did before from this conversation. 

For example, I did not fully realize the magnitude or breadth of the attack.  It just was not businesses that were impacted, but also many government agencies (both at the federal and state levels), educational systems, nonprofit organizations, and in fact, even all of the military branches of the United States as well.  But keep in mind that there is still a lot more coming out on this, and the podcast has only touched upon a surface of it.

Based on this, the common theme with Cyberattackers has primarily been to use newer, and of course, much sophisticated and covert threat variants based on the profiles of the existing ones.  Probably the best example of this are the Phishing attacks.  Ransomware, BEC attacks, etc. are not new threat variants of themselves, but rather, they are crafted from the first strand of Phishing that ever occurred. 

This happened way back in the late 1990s, when AOL became the first publicly known company to have been impacted by a massive Phishing attack.  Since then of course, the Cyberattacker has over two decades to finely tune their craft in this regard.  But believe it or not, there is still yet another threat variant out there that is no being used much more heavily, which also dates or even predates back to the era of Phishing.

This is what is known as “Social Engineering”.  Put in simpler terms, these are the techniques that a Cyberattacker uses in order to strike a certain human emotion so that you will give in to what they are seeking.  Typically, they are fear, and a sense of urgency.  Today, Robocalls, Smishing attacks (these are Phishing attacks done via texting to your Smartphone) and even phony snail mail letters are the main vectors that are used. 

After all, why spend time trying to create a digital form of attack when all one has to do is merely pick a phone number, build up some level of rapport with the receiver of the conversation?  Then once this has been established, all the Cyberattacker has to do is just strike upon the right emotion level with the unsuspecting in order to garner the information that they are seeking.

So, you might be asking at this point, what are some of the variants of Social Engineering, just like how they are for Phishing? The following are just a sample to get started with:

*Trust:

In our every day lives, trust is something that all human beings in the end cherish to have.  For example, it’s a great feeling to have when you know your boss or you colleagues can trust you to get the job done.  Heck, this is even particularly true when it comes to dating.  It can take some time for that level of trust to transpire between a man and a woman, but when it does, boy does it feel great!! LOL. This is how the Cyberattacker in this instance works.  At least when it comes to the business setting, they will often call, or even send letters to a lower ranking member of the company, such as the administrative assistant.  They know that people with this job title are very often overworked, and very often feel undervalued.  Thus, in an effort to bridge this gap, the Cyberattacker will literally “smooth talk” this individual by trying to build up a level of trust of them.  As just mentioned, knowing that we have this feeling of trust also makes us that much more vulnerable, and so when the moment is right, the Cyberattacker will use this ploy in order to extract as much confidential information as possible.

*Being Helpful:

Apart from trust, we humans also love it when we know we are being of help to another individual when they are in need.  As a result of this, the number of Robocalls have increased greatly, in which the caller pretends to be someone in need or needs some particular information that you have that will make whatever is affecting them (hypothetically speaking) go away.  But this has been such an overused tactic, that the Cyberattacker will most likely not use this, unless there is a very rare event which occurs, and affects literally the entire human race.  The best example of this is the recent COVID19 pandemic, in which millions of Emails and fake websites were set up asking for money and donations.  In fact, even when you are on Social Media, be extra careful of people asking for money, especially on those “Go Fund Me” pages.  As in everything else in life, only give money to those individuals and entities that you know of and are familiar with.  It is very important to note that sympathy-based attacks is one of the prime threat variants in this regard.

*Fear:

This is the complete opposite of the above two.  When it comes to striking fears into us, one of the biggest pain points are getting those Emails saying that our financial accounts have been compromised, and that we must take action now in order to correct what has happened.  I get these all of the time, most especially from PayPal.  An interesting trend to note is that these kinds of Emails usually don’t come out until the wee hours of the night.  This is when our guard is typically down, and we are often too bleary eyed to take stock of what is really going on, and thus, we become a victim when we log into that phony website.  Another huge fear tactic is that of getting calls and letters from the IRS, which are the snail mail based.  These letters look so real and genuine that it is almost impossible to tell what is fake and what is not.  But keep this cardinal rule in mind:  The IRS, or for that matter, any legitimate financial organization, will never ask for your confidential information.  If you receive any calls or snail mail letters like this, always contact the organization in question to see if they have even sent it in the first place.  Also, if something like this ever happens to you, just take a few minutes to calm down, in order to let the initial feeling of anxiety and fear go away, so that your logical mind will resume control.  In other words, don’t shoot your gun first and then ask why you did later on.

*Optimism:

Heck, given the times that we are in now, who does not want to be hopeful for the future, right?  This is yet another ploy that the Cyberattacker uses ever so cleverly.  By default, humans are built and wired to be trusting of others, from the moment we are in born.  We humans never feel that we could be taken advantage of, because of the way we have been raised.  But this is also one of our greatest vulnerabilities as well.  In fact, making somebody feel optimistic not only about themselves but also their futures as well is one of the best ways for the Cyberattacker to get into their personal information and data.  In fact, this is a ploy that is heavily used in the recruiting and network marketing industries.  There is often the promise of a great job or making millions by simply signing up for a program and paying a considerable sum of money for it.  In the end, all that you are left is with a drained bank account.  The cardinal rule to be remembered here:  It sounds too good to be true, then it probably is.

*Honesty:

As the old saying goes, trust is built upon honesty.  So in an effort to be accepted by others and society as a whole, we always want to be honest.  In fact whenever we lie, there is always that horrible feeling of guilt in the end (well, at least for the most part).  While being honest is a very noble thing, it too is one of our greatest vulnerabilities as well, and this is something that the Cyberattacker will take pure advantage of as well.  Now of course, if a total stranger approaches, our guard will be higher up, and naturally the feeling of being honest may dissipate in order to protect ourselves.  But the Cyberattacker knows how to manipulate the conversation so that innocently, you will give out the right pieces of information.  They very often start this by making some very casual, false statements about you, in an effort that you will unknowingly correct it.  If this kind of conversation comes up, you can always ask the person asking you these questions why they need to know it in the first place.

My Thoughts On This

Well, there you have it, some of the top ways in which a Cyberattacker can get into mind and emotions in order to get what they want.  While there is no software package available out there that can protect you in this regard, your best line of defense is always trust your gut.  But at the same token, don’t live your live like a hermit.  Go out there and enjoy it, but always be careful in what you say and do, but easier said than done, I know this for a fact!!!

No comments:

Post a Comment

How To Launch A Better Penetration Test In 2025: 4 Golden Tips

  In my past 16+ years as a tech writer, one of the themes that I have written a lot about is Penetration Testing.   I have written man blog...