<img height="1" width="1" style="display:none;" alt="" src="https://dc.ads.linkedin.com/collect/?pid=18068&amp;fmt=gif">

Social Engineering: The Achilles Heel of Cybersecurity

June 28, 2016 in Small Business Security

               For as long as humans have been around, crooks have tried to scam good people. Con artists constantly craft creative ways to falsely gain people’s confidence with the goal of attaining their victim’s money or important information. As the years go by, these schemes develop into more complex, intricate plans that become harder and harder to identify as scams.  In modern times, we refer to this phenomenon as “social engineering.”

Social engineering is defined as the act of using psychological manipulation to gain money or information from an individual or an entire company.  Hackers employ a variety of different social engineering tactics to obtain what they want. However, no matter how creative, scammers generally start with the same simple concepts.

First, the ploy usually begins with an email or phone call to an individual. From there, the perpetrators use complex and confident communication to make it sound as if the scammer somehow offers assistance or something of value.

The scammer will position the initial call or email by either:

  • Promising some type of monetary gain
  • Threatening loss or disruption of service if no action is taken
  • Imitating someone or some system in need of information
  • Imitating someone or something of direct value to the victim

Once the victim feels confident giving up important information, the scam comes into play. People may give up credit card information, social security numbers, company finance information or other pieces of important information in exchange for what is promised by the scammer. This can be an absolutely devastating event if the information is leaked or used to work their way deeper into a company. People can have their entire savings stolen, or have their company’s vital information leaked.

There have been several stories of social engineering scams in the news in recent years. Here is a look at the top social engineering scams:

Ubiquiti Networks Social Engineering Attack

Imitating someone in need of information

 

Ubiquiti.png

 

In 2015, the networking technology company Ubiquiti Networks had a social engineering attack that cost the company $39.1 million. The attack was initiated when a staff member of the company fell victim to what is known as a “CEO scam”. This is when the criminal sends an email impersonating a senior member within the company. The employee ended up giving important financial information to the criminal, allowing the crook to walk away with millions.

Deray McKesson’s Twitter Hack

Imitating someone or some system in need of information

 

deray.png

 

In June of 2016, Black Lives Matter activist Deray Mckesson, who has over 376,000 followers on Twitter, had his account hacked with social engineering. The hacker posed as McKesson on a phone call to Verizon customer service, and was able to change the SIM of McKesson’s phone to the phone of the hacker. From there, the hacker had all of the Twitter account verification texts sent to their own phone, allowing them to access McKesson’s Twitter account. The hacker posted a few controversial tweets before McKesson had access to his account again. 

 

Mofang Attacks

Imitating someone or something of direct value to the victim

mofang.png

 

The Chinese cyber-espionage group “Mofang” (meaning “to imitate” in Chinese) has carried out several high-profile social engineering attacks since 2012. The Myanmar Government as well as several major corporations throughout North America, Europe and Asia have fallen victim. The group generally sends out emails that appear to contain Word, PDF or Excel files. Once victims download the attachment, the file then sends viruses throughout the network, allowing Mofang to access important information. 

 

 FBI Agents Information Leak

Imitating someone or some system in need of information

fbi.png

 

In February of 2016, an anonymous hacker accessed and released information of over 20,000 FBI employees. The hacker claimed to use a fairly simple method of social engineering to achieve this. Supposedly, the hacker was able to get this information by accessing an email account within the Department of Justice. To get into this account,  the hacker called the Department of Justice claiming to be a new employee who needed help accessing the email portal of the department. From there, the hacker was able to have full access to the Department of Justice’s intranet, allowing them to steal the personal information of FBI employees.

 Director of National Intelligence Info Hack 

 Imitating someone or some system in need of information

 

clapper.png

 

 

In 2016, James Clapper, The Director of US National Intelligence, who is also the most senior US Intelligence official, was hacked with social engineering. Hackers found out Clapper’s ISP was Verizon. The scammer called Verizon and identified themselves as a fellow Verizon employee in the customer support department. Eventually, the hackers were able to obtain Clapper’s social security number and access his email account.

 

Social engineering has been referred to as the “Achilles heel” of cybersecurity. Companies can have the best security systems in place, but it all becomes irrelevant when a well-meaning employee makes an honest mistake in providing too much information. Computers and security tools can do a good job of protecting important information, but a conversation between two people can’t always guarantee that same level of security. It’s always important to know what information about your company should remain private before it accidently gets into the wrong hands through a seemingly casual conversation or email.

 

New Call-to-action

 

 

Nabil Hourani

Nabil Hourani

Nabil hails from the Dallas area of Texas. He relocated to Colorado after college to experience all the beauty and adventures the state has to offer. Nabil has a passion for technology, and loves being able to communicate with businesses about their IT needs. In his spare time, he enjoys camping in the majestic Colorado wilderness, fishing, and playing music.