• Ashley Seguin

Social Engineering

Updated: Feb 19, 2019



“There is no need to penetrate a network when you can breach the people who run it. Networks are hard. People are soft.” -Taylor Swift


Social Engineering…

Taylor Swift makes a good point. Social engineering is the method hackers use to get around the firewalls, and it has topped the list of the ten most popular hacking methods. It takes specific advantage of a human’s tendency to trust. It uses trust cues like hundreds of likes and retweets, or hundreds of followers or comments to make people feel like the website or page is legitimate. Strictly speaking, social engineering is “a process that cyber-criminals use to manipulate an unsuspecting person into divulging sensitive details through use of techniques like phishing, identity theft, and spam.”


Phishing…

Of all the methods of social engineering, none is so well-known as phishing. Unfortunately, while we may have heard the word “phishing,” most people are unaware of what it is or what to look out for. In fact, around 97% of people globally cannot identify a sophisticated phishing email. Phishing is a type of social engineering that uses email as a medium. The goal of phishing is to play to the human tendency to trust by duping the email recipient into believing the message is something they want or need. The recipient is then guided to click on a link or download an attachment that gives the scammer access to the computer. It may also ask for sensitive personal data. This is a red flag! Never put your data into an email someone sends you!


Pharming…

Pharming is an alternative method of phishing in that it also uses email as the medium. Its purpose is to get the target to click on a link that installs a malicious code onto the computer. It then redirects any clicks the victim makes on a website to a fraudulent website without warning or consent. One way to be vigilant about this is to look for the ‘s’ in ‘https’ before you enter any sensitive personal information or financial information into the website. (The ‘s’ stands for ‘safe’).


Vishing…

Vishing is a form of phishing that uses phone calls instead of emails to socially engineer the target into giving up sensitive information. Sometimes, it will be via an email that asks the target to call and give information. Instead of calling the number provided in the email, look up the organization’s customer service number and call that instead. Never ever give out sensitive data over the phone if the person called you. A sense of urgency in the phone call or email should also be a red flag.


Smishing…

Smishing is a newer form of phishing that uses text messages or SMS as a medium. Typically, these texts will contain a URL or a phone number that it asks the target to call. There is also a sense of urgency, whether by declaring that the sale you want is about to end or the warranty on your car (even though you never put a warranty on your car) is about to expire or some utility service is about to cancel. It uses this sense of urgency to bait you into giving information away without stopping to consider who you are giving it to. Another marker of a smishing text is a ‘5000’ number. This indicates that it was an email sent to your phone number instead of a text.


Why Should You Care?

Now, all this is very informative, but why should you care? Well, despite the fact that phishing as a word is so well known, phishing attempts have grown by 65% in the last year, so they must be working. Seventy-six percent of businesses are victims at some point; 30% of phishing emails get opened by targets; and 12% actually open the attachment. One and a half million phishing sites are created every month, and 30% of customers leave a company after a data breach. Do right by your company and train your staff. The only thing worse than training your staff and having them leave is not training them and having them stay.

© 2018 by Mark Seguin and TBG Solutions Inc.