Some time ago we wrote a blog about the importance of passwords, gave some examples of how to keep your passwords safe and tips on how to make them hard to guess (but easy to remember). We also posted a link to https://haveibeenpwned.com : a great little utility to find out if your email address has been caught up in the data breaches that seemingly happens every other week. But these data breaches, hacks and brute force attacks are not the only tools in a cybercriminals arsenal. As an extension of that, your passwords are not the only thing these people are interested in either.
Another tried and true technique of obtaining sensitive information is Social Engineering.
Social engineering is a term used to describe the psychological manipulation of people in to performing actions or divulging confidential information. In other words, one example of this could be extracting a password from someone purely by pretending to be an authority and asking the right questions.
This example of Social Engineering is called Phishing and it is exactly as it sounds! Dropping a line with some bait on it to see who bites! People are lured by communications from seemingly trusted or authoritative parties such as Banks, Electricity or Phone companies and yes, sometimes even IT providers!
Popular types of phishing techniques include:
Spear phishing – Direct attempts at specific individuals utilising some personal information previously gathered on the target such as full name or phone number.
Clone phishing – where a previously delivered email containing an attachment or link had its content and recipients taken and used to create an almost identical email
Whaling – a term coined for spear phishing directly aimed at senior executives or other high profile targets.
I think we have all seen examples of Clone Phishing. How many emails from Australia Post or some Electricity company have we gotten encouraging us to click a link. These links, once clicked, can do anything from scan your computer for information or taking control of your computer for future use.
The problem with phishing and social engineering is that it takes advantage of peoples natural tendency to trust.
Here is the real kicker: A networks security is only as strong as its weakest link. You can have all the controls and security features in place but the fact remains; Humans use these systems and as a result our human weaknesses are the best target for hackers and often the one most overlooked by those responsible for IT security.
Over the next couple of weeks, we will look at ways to spot various Social Engineering techniques and we can discuss how to protect ourselves and help those around us. In the mean time, check out this little quiz and see how you go. Let us know your results!