Evidence Russia hacked the Canadian Government.

Today’s topic is social engineering. This blog’s title is click bait - congratulations you clicked it! You were just socially engineered and should be angry about it. Now let’s find out why it works.

Security professionals attempt to raise awareness of all the different kinds of social engineering and invent new words every week to cover the variants. Here’ s quick summary of terms but ultimately the terms don’t matter:

  • Phishing is well understood as an email.

  • Vishing is voice phishing.

  • Smishing uses SMS.

The fundamental goal of social engineering is to gain something through psychological manipulation. Inevitably one wonders about the phisher’s real motive, who benefits, and who is abused. These questions are easily answered with respect to telemarketing (hint: the target is you) but are much more complicated in other situations.

Let’s look at how social engineering works:

Your job is to help: If I setup an infected website and ask the IT help desk why the internet/website is down, they will go to this website during their basic troubleshooting and get infected. It could take less than 5 minutes to hack your organization as a result of the help desk’s helpfulness. The fix isn’t to stop being helpful but to be overly helpful. Connecting to the original issue reporter’s computer and working on the problem from their point of view will keep your help desk clean and give your legitimate users a better overall customer service experience. Your job is to help… and the more helpful you become, the more secure you become.

Your familiarity is touched: This can be Politics, Sports, Cars, Economy, or anything that strikes a chord with your target(s). Consider how the click bait title of this blog peaked your interest and landed you on this article. I touched on something familiar. This is how “Fake Car Recall notices” which you end up taking seriously. From a cyber security perspective, consider a hacker looking at your organization’s job postings to discover the systems you use so they can craft attacks relevant to you.

Awareness isn’t enough

The problem is that you will likely not recognize a new scam the first time. The likelihood of falling for scams that a new or you’re not aware of are quite high based on actual individual examples. We need to train users how to identify the manipulation instead of just showing them examples of it. Google has an excellent quiz that explains phishing, test your phishing identification prowess here: https://phishingquiz.withgoogle.com/

Take it a step further, if the root cause is psychological manipulation and you can identify when someone is being manipulative, you will catch all of these scams before they happen. Ask yourself, is this person:

  • Very charming and unexpectedly flattering?

  • Intimidating?

  • Asking you to do something?

  • Passive-aggressive?

  • Making your spidey sense go off?

  • Gossiping to influence you?

These are signs that generally enable you to identify manipulators. Identifying manipulators is a highly valuable skill in many personal and corporate realms far beyond cyber security. It will help in your daily life.