Social Engineering Attack Methods

Greg Wilson, Head of Information Security
May 31, 2018

While computer system breaches are often done through means of technology, there are certain methods hackers can use to take advantage of unsuspecting individuals that are less technical — especially social engineering.

Social engineering uses direct human interaction, whereby hackers fool others in order to gain access to valuable information that can help them break into various systems. Social engineering attacks can occur in a number of ways, including the following:

Phone calls — Always be leery of someone calling you to inform you about a security breach. In fact, it’s highly unlikely that anyone will call you to inform you that you’ve been breached. This should be a red flag that you should not give any information to that individual, and do not execute any commands he or she asks you to perform, especially if the command ends in “.exe.” If someone calls you about a breach, hang up the phone, and do not speak with that individual. If he or she claims to be calling from a business with which you have a relationship, hang up the phone, and call the business back from the number on your statement so that you know exactly with whom you are speaking. Please be aware of that there are other phone scams as well such as the IRS, sweepstakes, charity donations and others where individuals will request personal and financial information such as credit card, SSNs or bank information. In addition, always be careful when having conversations with vendors over the phone because sometimes hackers will call pretending to be vendors and request information from you.

Desk hovering — Many people often have conversations around other people’s desks, especially in more open office spaces. Be careful about the information you share with others when people are standing near your desk. Take special caution if you notice anyone hovering in the area surrounding your desk or cubicle, line in the grocery store or public transportation. This is often a tactic used by social engineering experts to gather information when they are in earshot of conversations they aren’t necessarily part of. This is also an opportunity for shoulder surfing, which allows someone to take note of codes, passwords or other secure information simply by looking over another person’s shoulder. Be sure to shield your keyboard or any paperwork on your desk from view if you notice anyone lingering near your workspace.

Visitors — When people visit your office, there should be a specific protocol on security to ensure the validity of their purposes for being there. All employees should be required to have ID badges with their pictures on them, and it is recommended that there are distinctive visitors’ badges for individuals who are not on staff. All visitors should also be escorted to the people or departments they are visiting in order to ensure they are not wandering or gathering information from places they should not be.

Following — Along with visitors, be cautious about allowing others whom you don’t know to follow closely behind you, particularly when entering into secured areas. While we often hold doors for people or allow them to come in right behind us without the use of their badges when going into secure buildings, it’s not always a safe practice because it allows unauthorized individuals to have access to places and information they should not.

Baiting — Sometimes hackers will leave malware-infected devices (e.g., USB flash drives) where they know these devices will be found. When someone finds it and puts it in his or her computer without much of a second thought, the malware is then installed into the computer, allowing the attacker to install malware on that workstation that could be used to gather the valuable information desired.

Using available information — It’s important to be careful about what information you divulge and where you do so. Social media allows people to be open books and often give away too much information without thinking about it much. For instance, though many women like to put their maiden names on their Facebook pages so that they can catch up with friends from their pasts, this is not always a safe idea, especially if your maiden name is the answer to one of your security challenge questions. This can provide hackers with too much information, allowing them to breach your system and steal what they’re looking for. Additionally, some online job descriptions on company sites or job postings sites get too specific and provide hackers with information regarding what systems these businesses use, which once again gives those attackers open doors to breaching opportunities. If it’s online, anyone can see it, so always be cautious of what you post before you post it.

While we may never be completely free of others trying to access our information, there are certainly measures we can take to protect ourselves and that you can use in your firm and as advice to your clients.

  • Don’t send anything sensitive or confidential in an unsecured manner.
  • Don’t use a generic mailbox to send sensitive documents — send these to a location where the documents must be picked up by the recipient.
  • Don’t use the same password for your work or sensitive transactions and for common transactions, such as on social media.
  • Avoid conducting business transactions on the same computer your family members use for Web surfing or general purposes.
  • Have procedures in place to let your clients know that when certain transactions (e.g., moving money, trades, etc.) are taking place, they will need to verbally verify that they made the request.
  • Keep your company’s shred bin locked, and use the cross-cut shredding method rather than the strip-cut method.

Social engineering is currently a great threat to organizations everywhere, so the more security measures you and your firm take to combat this issue, the more likely you are to avoid your system being breached.

Our Beliefs About Investing

Download the white paper to learn the 1st Global philosophy for disciplined, long-term investors.