Do any of these questions sound familiar to you:
– What was your first car?
– Where did you go to high school?
– What is your favorite food?
– What was the name of your first pet?
They are common security questions used by organizations to make sure you are who you say you are when logging into a secure website such as a financial institution or insurance provider.
Now, how many people talk about the above on social media platforms like Facebook? It is OK to nod yes since everyone does. The answers to those questions are part of who you are as a person. It also helps cybercriminals gain access to your information through what is known as social engineering.
What is social engineering?
The official definition is the use of deception to manipulate individuals into divulging confidential or personal information to gain access to computer systems for fraudulent purposes. It is a very devious form of hacking. And it is the most common way to gain access to information according to KnowB4 data stating that 98 percent of cyber attack relies on social engineering. In other words, the bad guys are piecing together your information then preying on weak common passwords to gain access or playing on your trust by spoofing phone numbers or emails by people you know.
The cybercriminals go for the weakest link in the cybersecurity chain, and that is the human element. There are three main types of social engineering attacks according to Patrick Lavery, security consultant, and co-organizer with Lea Snyder of Layer 8 Conference on Social Engineering. They are Phishing, Vishing, and Smishing. While the names sound whimsical, there aren’t. The goal of these fraudulent practices is to pretend to be a reputable company to get people to reveal their data such as passwords and credit card numbers:
– Phishing is using emails with the hope a link is clinked taking you to a false website to collect your information.
– Vishing is making phone calls or leaving voice messages with the goal you will give those details over the phone.
– Smishing is sending text messages to get a response or for you to clink a link.
Most social engineering attacks are random. For example, the bad guys send out an email blast to a billion addresses with the expectation that .01 click on the malicious link. However, there are more targeted attacks such as Whaling and Spear Phishing. Whaling is a phishing attack that is aimed explicitly at wealthy, powerful, or prominent individuals such as CEOs using email or electronic communications to scam them. A recent whaling attack in Germany targeted celebrities and politicians’ social media accounts causing some embarrassment. On the other hand, spear phishing is a targeted attack on an individual or organization.
The attacks are getting bolder. With easily accessible websites that list your personal information such as names known by, where you have lived and known relatives for a fee as well as free social media platforms, it is effortless for cybercriminals to build a good profile on you. Add in technology available to spoof mobile numbers easily accessible in the app stores enables the bad guys to go a bit deeper in their search to fleece you out of your data and money.
Recently, violent Vishing attacks are taking place where a family member’s name appears on your caller ID. When you pick it up, it is a kidnapper saying they have a loved one and demanding money. The scam is done by spoofing mobile numbers from a stolen contact list or information gleamed online. The scammers are counting on panic and fear just like the ones who call from the IRS saying you owe money or someone saying they are a grandchild needing bail money.
Don’t give that to them says Lavery. He says the best way to avoid social engineering attacks is stepping back and taking a moment questioning the request. The defense is validation. For example, in the office, if a CEO sends an invoice requesting it be paid ASAP than make a call to confirm that indeed is correct. Same goes for phone calls, request to call them back or ask for another channel to communicate. As for the kidnapping Vishing attacks, deep breath either texting that family member or have someone else call verifying they are OK.
Validation and verification are essential in the prevention of successful social engineering attacks. Take that extra moment, it will make the difference.
This column was originally published in the Lexington Herald-Leader on March 20, 2019 and nationally distributed to over 300 media outlets through the Tribune Content Agency.