Hacker lifeblood is social engineering, not better tech.
The tremendous success of COVID-19 cyber scams is the direct result of the predictability of human behavior; specifically, the reptilian brain functions that trigger survival and protection. As a former big-law litigator, I witnessed (and as defense counsel, guarded against) questions designed to elicit sound bites that terrify a juror and scare him/her into irrational reactions. It was and remains an extremely successful tactic. Need a modern-day example? Stock-piling toilet paper in response to a respiratory virus.
Cyber criminals do that same thing with social engineering. Through social engineering, bad guys can predict how an individual will react, what will get his/her attention, and what tone of a message (in any medium) will trigger fear, a temporary abandonment of sensibility, and immediate action:
Eager-beaver law firm associate receives urgent email from supervising partner demanding that e-gift cards be purchased and sent to “clients.” Eager-beaver associate complies only to realize later that he/she was the victim of a phishing email and associate sent $1,000.00 in American express gift cards to a hacker. Hacker knew the associate would likely comply with the phishing email absent much thought as law firm associates are often desperate to please supervising partners out of fear of reprisal, have access to money, and may be unable to resist an opportunity to win good favor by swiftly completing a simple task.
Hacker posing as remote IT staff emails teleworker advising him/her that his/her device was compromised by malware possibly having been downloaded during a visit to a prohibited website. Hacker says he wants to see if he can fix it before reporting to business administration and asks for access credentials to teleworker’s Office365 account. Teleworker, knowing that he/she downloaded music or movies on the company computer, or let his/her teenager use it for school (and who knows what else), complies in hopes that the faux IT staff can resolve it before administration becomes aware.
New homeowners close on their first house and are flooded with refinancing offers in the mail by various mortgage companies. Bad actor, having access to the same public records as the mortgage companies, leaves voicemails for the new homeowners advising that an issue arose with the loan or the IRS, which may result in a lien being placed on the new house. Bad actor leaves a call back number and when unsuspecting new homeowners call, bad actor convinces them to confirm dates of birth, social security numbers, and routing numbers for direct payments to the mortgage company.
Other forms of social engineering are as follows:
Spear Phishing: email is used to carry out targeted attacks against individuals or businesses.
Baiting: an online and physical social engineering attack that promises the victim a reward for participation in an event (i.e.: answer this survey to win a $100 amazon gift card or provide your login information for a free movie download).
Malware/ransomware: victims are tricked into believing that malware is installed on their computer and that if they pay, the malware will be removed.
Pretexting: uses false identity to trick victims into giving up information (sometimes found on Facebook in the form of quizzes that data mine for information such as first pet’s name, favorite car, etc. – all of which are common authentication questions).
Quid Pro Quo: relies on an exchange of information or service to convince the victim to act.
Tailgating: relies on human trust to give the criminal physical access to a secure building or area.
Vishing: urgent voice mails convince victims they need to act quickly to protect themselves from arrest or other risk.
Water-Holing: an advanced social engineering attack that infects both a website and its visitors with malware.
Training all employees, from interns to C-suite executives, on ways to spot social engineering tactics is one of the best defenses to data breaches. However, do not simply rely on online tools. Hire a professional to evaluate current security omissions (technical and social), analyze the liabilities, and coach you on remedial efforts. Contact Sarah@alexandersides.com for more information.