It’s been two years, but when hackers use social engineering attacks on your business, chances are, they’re still leveraging the pandemic in some way, according to ethical hacker Rachel Tobac.
“To find a lazy attacker, follow the fear,” said Tobac, the CEO of SocialProof Security and the featured guest in the CSO Risk Council’s latest webinar, which focused on the threat of social engineering attacks.
What is social engineering?
Social engineering is the practice of manipulating people into giving up information, finances, or other assets. It’s a practice that covers a wide range of attacks, from phishing (sending fake messages to entice a person to click on a malicious link) to full-blown scams targeting one individual or organization.
Fear, Tobac said, is a popular way of getting a wide array of people to click on a malicious link; false messages about COVID-19 benefits, sick family and friends, and other COVID-related concerns are still being used because they still work.
Other trends in social engineering reflect evergreen fears — government impersonation scams, scammers pretending to be a bank, and tech support scams. Anything that makes people nervous is something lazy social hackers will use in an attack.
Social engineering and the Principles of Persuasion
Not all attackers are lazy, however, says Tobac. If an attacker is specifically targeting your business, they’ll be happy to put in the work of researching you and persuading you — or an unwary employee — to click on a link.
“Some attackers are really going to dig deep,” she said.
According to Tobac, a good attacker is going to research you and your business first, usually using information that’s readily available online, to find information that may compromise you.
Then they'll use one or more of the 7 principles of persuasion listed in Robert Cialdini’s book, Influence: The Psychology of Persuasion to get you to give up information, often on the phone, while pretending to be someone you trust:
Reciprocity: A sense of indebtedness, for example, an attacker pretending to be a trusted source might mention what OS they’re using so you feel obliged to share the same kind of information with them.
Commitment and Consistency: If someone asks you one question that seems a little invasive or off, and you answer it, you’re more likely to answer the next invasive question. You’ve already committed to trusting them.
Social Proof: If an attacker convinces you that someone you know or trust has already complied with a request — say to give access to your system — you’re more likely to comply with the same request.
Liking: People tend to trust people we like, and we tend to like people who share our interests. Therefore an attacker will pretend to share interests with you to gain your trust.
Authority: We trust people who know what they’re doing or who have the authority to tell us what to do. Conversely, people also like being in positions of authority and may give away too much information if asked for help.
Scarcity: Attackers will often use a sense of urgency to get people to comply with a request. This is particularly powerful when the attacker says something emotionally charged (“I have to go take care of my child”) and then asks a person to do something right now to help them.
Unity: People trust other people who are part of the same community, so attackers will often pretend to be from the same group as their targets.
How can you prevent social engineering attacks?
Just because you’re aware of the above principles doesn’t mean you’re safe from social engineering attacks, says Tobac.
“We can’t just shut principles of persuasion off. It’s part of who we are,” she said.
There are, however, ways to stop an attack in its tracks.
Tobac’s main recommendation is for both individuals and organizations to be “politely paranoid,” especially when it comes to sensitive requests; require two forms of identification when complying with a sensitive request. If someone calls and asks for access, email or text to make sure it’s them.
She also recommends restricting admin access to important systems, providing a password manager to employees, and having serious conversations about weak spots in security with leadership.
“A lot of these recommendations are really just getting back to basics,” she said.
To learn more about the CSO Risk Council’s future events and webinars, read more here.