Social engineering is a method of using human interaction to convince people to break their normal security processes. It can utilize the newest technology, but that isn’t necessary in order to reach a goal. It’s been around since the beginning of time in its physical social engineering and even phone scam form. It’s a con-game for cyber thieves. Today, while physical social engineering is still very much alive and well, remote social engineering is gaining steam due to the availability of information that can be found on the Internet.
Roughly 50% of a social engineer’s time is spent doing research on potential victims. They get a significant portion of this information online. LinkedIn, for example is a wealth of information, as people post their professional history and current professional status there. A social engineer will collect data found from various sites, personal and professional, find weaknesses and use those against their targets.
One tactic that is on the rise is business email compromise or BEC. This scam costs businesses of all sizes over $3.1 Billion per year, according to the FBI’s Internet Crime Complaint Center (IC3). Since January of 2015, this type of crime has increased by 1,300%. Yes, that is the correct figure. It has been reported from within all 50 states and from within 100 countries.
This uses remote social engineering, typically using phishing email, to convince those in an organization to wire large sums of money to the cyber criminals’ bank accounts and/or becoming more common, convincing someone in the company to send human resources information such as W2s. W2 fraud has caught out Seagate and Snapchat recently. This type of scam resulted in tax fraud in 2016 to the tune of $21 billion.
Limit the information you post about your company or its business on the Internet. Even if you do use the security tools available on your social media sites, you should consider all information on the Internet available to the general public.
Remember not to get caught up in how you think a cyber thief should look or sound. People who perform remote social engineering are not restricted to the stereotypical hacker sitting in a dark room at a computer. Now nation-state actors, those wanting to gain trade secrets, and even those just wanting a big payday engage in social engineering tactics and strategies. The motivation is varied for whomever is performing the activity. The most obvious is for financial gain.
Most of the time, the signs that a con is occurring are so subtle that the targets don’t know what is happening. Exploiting the human desire to be helpful by gaining trust on a personal level is how the game is played. Always be aware of who is asking for information and when it’s sensitive and some type of cost is associated. If there is any suspicion at all, just say “No.”
© Copyright 2017 Stickley on Security