Traversing the Security Terrain, "One Phone Call Can Make the Difference."
Kirk Molloy, for all his IT expertise and years of experience dealing with sophisticated phishing attacks, sums it up in these seven, very non-technical words ... "One phone call can make the difference."
If one were to plot the digital landscape for cyber activity over the last 30 years, they’d see drastic changes across the terrain in recent times. Years of stressing password management, anti/virus, anti/malware solutions and responsible online browsing gave businesses a sense of security – one that would be deemed false in 2020. Social Engineering attackers today know how to avoid your security technology completely by using the timeless art of manipulation to get your information.
As IDG put it in its CSO publication, “hackers smell blood now, not silicon.”
Social Engineering is a modern-day attack vector that uses social conditioning and naivety of humans to infiltrate networks, gain access to systems and steal confidential information from organizations. They use tactics that gain your trust, give you a sense of urgency, and even pretend to be your “boss.”
How Does Social Engineering Work?
It could come from a phone call. (criminals posing as employees to gather bits of information. Or, maybe a phone call from “Microsoft Support”).
It could come from email (users reveal confidential data because the email request comes from their “boss.” Example: An email from your “boss” to your HR person, requesting that he or she send all the W2s of all employees, in PDF form, for them to review).
Kirk has witnessed it first-hand. An employee opening a file from what he or she thought was a trusted vendor. An employee clicking on an ill-advised link because it contained such an extreme sense of urgency. The result? A phishing attack and, at times, even Ransomware.
“They didn’t verify it,” Kirk said. “The best case scenario, if something looks iffy, is to pick up the phone and say ‘hey, did you send this to me? It’s suspicious and I just want to confirm.”
When in doubt, pick up the phone.
Additional Tips for Traveling the Treacherous Terrain of Social Engineering:
- Slow down. Spammers want you to act first and think later. If the message conveys a sense of urgency or uses high-pressure sales tactics be skeptical; never let their urgency influence your careful review.
- Research the facts. Be suspicious of any unsolicited messages. If the email looks like it is from a company you use, do your own research. Use a search engine to go to the real company’s site, or a phone directory to find their phone number.
- Don’t let a link be in control of where you land. Stay in control by finding the website yourself using a search engine to be sure you land where you intend to land. Hovering over links in email will show the actual URL at the bottom, but a good fake can still steer you wrong.
- Email hijacking is rampant. Hackers, spammers, and social engineers taking over control of people’s email accounts (and other communication accounts) has become rampant. Once they control an email account, they prey on the trust of the person’s contacts. Even when the sender appears to be someone you know, if you aren’t expecting an email with a link or attachment check with your friend before opening links or downloading.
- Beware of any download. If you don’t know the sender personally AND expect a file from them, downloading anything is a mistake.
- Foreign offers are fake. If you receive an email from a foreign lottery or sweepstakes, money from an unknown relative, or requests to transfer funds from a foreign country for a share of the money it is guaranteed to be a scam.