We live in a world where a lot of our personal interactions take place on social media. Facebook, Instagram, TikTok, and LinkedIn are just a few commonly used platforms. But have you ever stopped to consider just how much personal information you’re sharing with the world? We generally think of hacking as someone digging for your information by finding a backdoor to your accounts or stealing your passwords. Still, many times, we put ourselves at risk by letting our guard down and being far too trusting of our social contacts. After all, it’s your easiest connection to your friends and family, right? That trust is precisely what many cybercriminals are counting on and makes it so easy to infiltrate you or your company’s data.
Let’s start by digging into the three most common types of cyberattacks and methods you can use to ensure you don’t fall victim.
Phishing and the Dreaded Spear Phishing Attack
Most people by now are familiar with the term “phishing.” Phishing boils down to using email to impersonate a real person or company you're familiar with or connected with to gain your trust. In turn, they use that trust to trick you into turning over sensitive data like passwords or banking information. Criminals are getting smarter and doing more research about how to gain your trust. They may research your connections on LinkedIn or dive into the companies you follow or interact with on Facebook to understand where you bank or companies you regularly do business with. That familiar face that looks like Great Aunt Susie on your social network may not be your kind-hearted and unassuming aunt. It’s possible that instead, it’s a cybercriminal lurking to see what information they can gain to trick you into clicking on a fraudulent link in a phishing email.
Moreover, a cybercriminal could gain access to enough information via your online profiles to launch what’s known as a spear-phishing attack. This occurs by impersonating a person of trust within your network and launching an attack on an unsuspecting victim. For example, the criminal could pose as the CEO of an organization requesting sensitive information or even a direct transfer of funds from someone in finance. Without the proper protocols in place to safeguard your organization, the unsuspecting finance person could comply with the request and share bank account information or turn over large sums of money without knowing they’ve been duped.
Tale as Old as Time: Baiting
Baiting has been around as long as con artists have preyed upon victims. Most people think of baiting as promising an item that a buyer really wants and then switching it out with either a low-quality copy or something completely unexpected. The old bait and switch got an upgrade in the digital age with the advent of e-commerce and online dating. Many have ordered a supposed name brand item at a fantastic price only to receive a cheaply made knock off that looks nothing like the photo. In the online dating world, bait and switch has become known as catfishing – equally as dubious as the bait but preying on the human need for love and affection.
But beware of links you come across shared on your social network by people you think you can trust. Many times, criminals create online links disguised as free downloads – songs, images, movies, etc. – to target you based on your likes and interactions, knowing you won’t turn away from the most recent Beyoncé surprise drop. But once you click, you’ve infected your computer and possibly your company’s network with malware.
Quid Pro Quo: Trust but Verify
Much like baiting, quid pro quo involves offering the victim something in exchange for access to data or credentials. Many times, we consider our contacts having easy access to our contact information a necessity. After all, what sales rep doesn’t want a prospect to be able to reach out quickly to get a sale?
Let’s consider the quid pro quo scenario: a social engineering criminal has access your direct line on LinkedIn, and calls to let you know he or she is from your company’s IT helpdesk. They need you to remotely access your computer to fix an issue. In other words, you give access to your device and in return, your computer issue is resolved. Not wanting to prevent the IT person from doing their job, you hand over access without question. In return, the criminal has access to sensitive data, and you’ve granted them unrestricted access to your company’s network. Rather than just handing over the information, ask to return the call at a more convenient time and call your company’s helpdesk at a direct company extension. A healthy dose of skepticism never hurt anyone in this instance, and you could potentially thwart a targeted attack on your organization.
What are some things you can do to prevent a social engineering attack?
- Be careful what you share.
Even something as innocuous as a photograph can give a criminal all the information they need to hack an account. Don’t share personal details and make sure that you’re not giving out details that someone could use to dupe you or someone you’re close to. Those quizzes you think are innocuous may just divulge information that could be used against you in the future.
- Use any and all privacy settings
Most social media websites have settings that limit the information you share with your connections. Treat your account as though you would your child’s profile. Lock down your location sharing, don’t over-share and make sure you know exactly who you’re interacting with online.
- Have a healthy dose of skepticism
Being vigilant is your best defense. If it sounds too good to be true, it probably is. Like Barnum once said, there’s a sucker born every minute. Don’t be a sucker!
- Trust but verify
Double check email addresses for small typos. Make sure URLs are legitimate by hovering over hyperlinks to ensure they’re going to a legitimate site. Hang up and call back to make sure you’re talking to someone within your organization prior to handing over any information.
- NEVER share passwords or financial data
Again, knowing who you’re communicating with is the most effective strategy. But even the most innocent of calls or emails can sometimes cross boundaries that put you or your company at risk. Sharing passwords or financial information via email, text or chat may leave a digital footprint that gives a cybercriminal access you don’t want them to have.
Remember, your best defense is a good offense when it comes to preventing an attack. Educate yourself and your teammates on current methods cybercriminals are using to engineer an attack. Be vigilant in making sure you’re aware of what and with whom you’re sharing info. And as always, if you need help educating your employees or monitoring your network, Secure Data Technologies is here to help. Click the link below for a free download of our 5 Tips to Prevent a Social Engineering Attack you can share with your colleagues.