How They Attack Us: Social Engineering

 

Hackers and cybercriminals are like any other bad guys. They want to make money at your expense. In the digital world that can be done in many ways but one of the most common methods is through a process called Social Engineering.

In order for a criminal to get access to your digital assets, whether that’s an email account, bank account, a device, etc… they can go about it in basically two ways. They can try to force their way through, which is becoming more and more difficult and time-consuming, the other way is to gather information about you to ‘guess’ your account information, passwords and PIN codes.

Most people choose passwords and PINs that are easy for the individual to remember. In most cases, people will use things in their personal lives as their keys. Kid’s names, pets, birthdates, addresses, phone numbers and other things close to them. This makes for easy to remember codes but it also leads to social engineering for hackers to gather those items and can generate their own passwords to try on your accounts.

There are programs out there, freely available, that you can enter 100 words about someone (that’s not very many) and can generate over 100,000 passwords to try. If you use your pet’s name with the month of your son’s birth with the year of your wedding as your password, it may seem complex but if I know those semi-private details I can generate that in seconds and eventually succeed in accessing your account.

How To Detect Social Engineering

The detection of these attempts is very difficult. The most direct way is by identifying phishing attempts. Tricky emails to try to get a target to enter information or even the real username/password directly to the hacker.

The other way hackers get your info is they buy it. All the information you put on Facebook, Twitter, Google, and other web sites collect it and sell it for ads or to make money. That information is also lost or breached and sold on the Dark Web as well. You may think your name, address, a phone number is basic ‘phone book’ information but if you use any of your own personal data to create passwords, so can the hackers.

How To Prevent It

It’s near impossible to completely prevent someone from socially engineering you. The first step of Hacking 101 is reconnaissance, gather data on your target. The engineering part is taking that gathered data and generate passwords, email addresses to try to access real accounts hoping you used them as well. Social engineering can also help hackers pretend to be you in order to trick someone else, like the CEO Scam or Spear Phishing attacks. Hackers don’t need to access your accounts to become you.

The first step of good prevention is to not use any personal data when you create passwords. Use a password generator, like a vault to create long, complex passwords that are randomly generated.

The best prevention is to enable multi-factor authentication everywhere you can. Multi-factor will prevent hackers from getting complete access to your account if they are able to get the username/password because you will have the second factor, like your phone that will receive the code to complete the login process.

Lastly, education and awareness programs. Help your employees, friends, and family be aware of these hacking attempts. Social engineering is stealthy and you won’t know it’s happening unless you have those simple, yet effective, additional security controls in place.

Be aware, be safe.

 


Become a Patron!

Sign-Up: Free Security Training