Social engineering in a nutshell
What is social engineering?
Simply put: social engineering is the collective term for some techniques where hackers try to obtain (sensitive) information from humans as the weakest link.
Humans? That's right. Social engineering is the clever manipulation of the natural human tendency to trust. This implies that the technological skills of hackers don't have to be outstanding at all. Some creativity and a lot of drama can also do the trick.
Machines aren't infallible since humans created them. Sooner or later, the human brain fails, for example in a stressful situation.
Companies, as well as individuals, are implementing the most performing technological solutions to make sure they aren't affected by attacks, bots or hackers. But without some common sense, it just won't matter.
Scriptkiddies are a new generation of hackers
The last decade, technology has become more available, and a new kind of hacker occurred: scriptkiddies. A new generation of tech-savvy millennials who use (open source) technologies in a much more evident and effective way than the people who initially built it.
Mass has become the standard, and automation is key. Scriptkiddies don't like to do the same hack 100 times in a row - boring! Instead, they build robots: they script lines of code (commando's) that infinitely repeat themselves by crawling the internet for vulnerabilities. These scriptkiddies write, modify and distribute malware, ransomware, and cryptlockers.
Phishing: the most commonly used technique of social engineering
The most famous example of phone phishing: the hackers who pretend to be working at Microsoft's helpdesk. They call you to tell you that your computer is infected. Most people immediately panic.
Those Microsoft employees "solve your problem", but in the meantime, they install their tools that give them access to all your private data, login credentials, and bank card details.
"Yes, hello, this is Microsoft Tech Support"? Hang up the phone!
1 click. That's all a hacker needs from you. Every computer or machine needs a commando, mostly a click, to enable an action. Next thing you know, your device, system or network is infected with malware or ransomware.
Spear phishing is a form of email phishing. Email phishing targets a large number of users, while spear phishing operates in a more targeted way.
The messages seem to be from a trusted sender, like a friend, family member or a company that you're in contact with. Hackers look for personal information to add to the email. Obviously, this increases their chance of success.
Again a form of email phishing. In large companies, not everybody knows the CEO in person. That's an advantage for hackers.
The CEO asks a favor or creates a situation where trust is required. Recipients feel flattered because the big chief is asking for their help. Without thinking, they pass on confidential information.
How do you recognize phishing emails?
Generally, the following characteristics prove you've received a phishing email:
- Spelling mistakes
- Asking for personal information
- No contact details in the email signature
- Unknown sender
- Informal salutation like "Dear client"
- Odd writing
- Link location does not match the text
- Domain name is incorrect, like .com/uk instead of .co.uk
Are passwords a necessary evil?
Passwords often frustrate us. But today, it's the only reliable way to protect your personal data. Fingerprints, iris scans or facial recognition are still not worthy alternatives.
Often, passwords aren't strong enough, so hackers can easily harm your device. Where do things go wrong?
First of all, we have too many different apps, so we tend to use the least possible amount of different passwords. Moreover, a lot of users chose very predictable passwords like birthdays or pet names. And since the requirements for a safe password are becoming stricter, people feel the need to write down their passwords. All those things result in poor security.
Convenient tool: Have I Been Pwned. Enter your email address to find out if you're a victim of one of the mass data breaches. Is your account infected? Change your password!
Tips for a secure password
- Find a method that works for you:
- Use special characters or smileys
- Use short phrases or combinations with dates, special characters, and capitals
- Invent a link with the app or platform you're creating the password for
- Use 2-factor authentication: an additional security layer that requires, of course, a username and password but also asks for information only the user knows (for example through a physical token).
- Make sure to update all your devices with security patches and software updates.
- Be careful with Internet of Things. You have to change the standard password that's set on your device since they're easy to find on the web.
What about the future?
"Old crimes new tools, new tools new crimes" summarizes it perfectly. For now, it seems impossible to eradicate crime. But we can adjust our online behavior to give hackers a very hard time. That's why we absolutely have to be aware of the existing security threats, and, of course, of our own vulnerability.