If you grew up with siblings, you may have had the fortune of being the brunt of a practical joke. Everything from smell my finger, open this box, or taste this. While the examples are rather crude, they are no different from the hacking capabilities we all experience via social engineering. The main motive from our relatives was to leverage our trust into doing something malicious for the amusement (normally laughter) of our siblings. As harmless as it sounds, we hopefully learned for the next time.
Social engineering is no different. We have a blind trust in the email we receive, the phone call we answer, or even the letter we receive to believe someone is contacting us. If the message is crafted well enough and even potentially spoofing someone we already trust, then the attacker has already gained the first step in deceiving us and potentially carrying out a rouse. If in fact we act on the fake correspondence from a work colleague, friend, or even a sweepstakes, we may just become a victim of social engineering.
Considering the modern threats in the cyber world from ransomware to recording our voices on a phone call, the outcome can become much more severe than eating a dead worm. At the risk of becoming paranoid about every email we receive and phone call we answer, we need to understand how social engineering works and how to identify it in the first place without losing our sanity. This learned behavior is no different than figuring out whether your sibling has lied about a message from your parents or not. Sometimes you just need to verify the message before taking action.
From a social engineering perspective, hackers attempt to capitalize on a few key human traits to meet their goals:
- Trusting – the belief that the correspondence, of any type, is from a trustworthy source
- Gullible – the belief that the contents, as crazy or simple as they may be, are in fact real.
- Sincere – the intent of the contents is in your best interest to respond or open
- Suspicious – the contents of the correspondence do not raise any concern by having mis-spellings and poor grammar, or by sounding like a robot corresponding on the phone
- Curious – the attack technique has not been identified (as part of previous training), or the person remembers the attack vector but does not react accordingly
If we consider each of these characteristics, we can appropriately train team members not to fall for social engineering. The difficulty is overcoming human traits and not deviating from the education. To that end, please consider the following training parameters and potential self-awareness techniques to stop social engineering:
- Team members should only trust requests for sensitive information from known and trusted team members. An email address alone in the From: line is not sufficient to verify the request, nor is an email reply. Their account could be compromised. The best option is to learn from two-factor authentication techniques and pick up the phone. Call the party requesting the sensitive information and verify the request. If the request seems absurdly insane like requesting W-2 information or a wire transfer, verify this is acceptable according to internal policies or other stakeholders such as finance or human resources (it could be an insider attack). Simple verification of the request from an alleged trusted individual, like a superior, can go a long way to stopping social engineering. In addition, all of this should occur before opening any attachments or clicking on any links. If the email is malicious, the payload and exploit may have executed before you have any verification.
- If the request is coming from an unknown source but is moderately trusted—such as a bank or business you interact with—simple techniques can stop you from being gullible. First, check all the links in the email and make sure they actually point back to the proper domain. Just hovering over the link on most computers and mail programs will reveal the contents. If the request is over the phone, never give out personal information. Remember, they called you. For example, the IRS will never contact you by phone; they only use USPS for official correspondence. Don’t let yourself fall for the “sky is falling” metaphor.
- Teaching how to identify genuine correspondence or not is rather difficult. Social engineering can take on many forms from accounts payable, love letters, resumes, to human resources interventions. Just stating "if it seems too good to be true" or "nothing is ever free" only handles a very small subset of social engineering attempts. In addition, if peers receive the same correspondence it only eliminates spear phishing attempts as the probable attack vector. The best option is to consider if you should be receiving the request in the first place. Is this something you normally do, or is it out of the ordinary to receive it? If it is, default back to trust. Verify the intent before proceeding.
- Suspicious correspondence is the easiest way to detect and deflect social engineering attempts. This requires a little detective style investigation into the correspondence by looking for spelling mistakes, poor grammar, bad formatting, or robotic voices on the phone, and if the request is from a source you have no interaction with. This could be an offer of a free cruise, or from a bank at which you have no accounts. If there is any reason to be suspicious, it is best to err on the side of caution: do not open any contents or verbally reply, and delete the correspondence. If it is real, the responsible party will call back in due course.
- Curiosity is the worst offender from a social engineering perspective. What could happen, what will happen, and nothing should happen to me since I am fully protected by my computer and company’s information technology security resources. That’s a false assumption. Modern attacks can circumvent the best systems and application control solutions—even leveraging native OS commands to conduct their attacks. The best defense for a person’s curiosity is purely self-restraint. Do not reply to “Can you hear me?” from a strange phone call; do not open attachments if any of the above criteria has been fulfilled; and do not believe nothing can happen to me (even for people using Mac OS). The fact is it can, and your curiosity should not be the cause. Being naïve will make you a victim.
Social engineering is a real problem, and there is no technology that is 100% effective. Spam filters can strip out malicious emails, and anti-virus solutions can find known or behavior-based malware, but nothing can stop the human problem of social engineering and potential insider threats. The best defense for social engineering is education and an understanding of how these attacks leverage our own traits to be successful. If we can understand our own flaws and react accordingly, we can minimize our risk to next-gen threats.