Social Engineering Attacks Target Everyone
Have you ever received a call from a stranger asking you to verify some info about you or someone else? It could be a perfectly legitimate call to update records. But more likely, it’s the start of a social engineering attack. Hackers could hack their way into your personal accounts or company system. But it’s much easier if they can convince you to let them in. Social engineering is an attempt to trick you into helping the criminals steal your information and money.
See Social Engineering with Jack Rhysider for a complete transcript of the Easy Prey podcast episode.
Jack Rhysider studied computer engineering in college, and then got a job doing network security. His whole goal was to keep people out of his clients’ systems. So he tried to learn about all the different ways someone could get hacked. He went to conferences, listened to podcasts, and heard about how people got hacked this way and that way. There were some really good stories about hacking. It has drama, excitement, and adventure. But there wasn’t a podcast breaking it down in a storytelling way.
So two years ago, Jack started Darknet Diaries, a podcast about hackers, breaches, shadow government activity, hacktivism, cybercrime, and all things on the hidden part of the internet. The podcast tells the stories of crazy hacks and other cybercrime dramas in an entertaining way.
A New Name for an Old Con
To Jack, social engineering is synonymous with “con man” or “con game.” A long time ago, a man named George C. Parker lived in New York City and sold people things he didn’t own. He sold Grant’s Tomb to someone. He sold the Brooklyn Bridge to someone else. That’s where the phrase, “If you believe that, I have a bridge to sell you” comes from. His trick was, he looked legitimate. He had documents that looked legitimate. He had a fake office that even had people looking there for his victims to come sign the deed. People believed him because he had all these pretexts. But it was all just a con game.
We still have nearly the same thing today. Now, it’s just called social engineering. Social engineering attacks can “hack” people to get information, data, and access to things they shouldn’t. Companies will sometimes use these same strategies to test their own security. One bank hired some social engineers to see if they could get into the vaults where they kept their gold bullion. They shouldn’t have been able to get through the front doors. Yet by using social engineering, these people convinced bank employees to let them in the front door, through the lobby, up the stairs, and into the vault.
People are sometimes the weakest link in a company as far as security goes.Jack Rhysider
Social Engineering Attacks Target Every Level of Business
Some people think they won’t be the target of social engineering attacks because they’re too low in the company hierarchy or they don’t have any access. But that’s not true. Social engineering attacks target anyone at any level. Even if you don’t have anything valuable yourself, you can be a stepping stone to let a hacker deeper into the company.
The entire canvas of employees at a company is a target in many situations.Jack Rhysider
Targeting People at the Top
Social engineering attacks definitely target people at the top of the company. CEOs, for example, are great targets because they have a lot of power and decision-making authority. In regular phishing, a hacker tries to get you to click on a link so they can get access to your accounts or device. But when they do it to a CEO, it’s called “whaling” – because if the CEO gets caught, the hacker caught something much bigger than an ordinary phish.
If a CEO gets caught in a phishing or social engineering attack, a hacker could impersonate the CEO. They could send an email telling the accounting department that they forgot to pay someone and accounting should wire some money to this place immediately. At that point, they are dealing with high-level staff who listen to the CEO on a regular basis. They are very likely to say, “Oh, that’s an email from the CEO. I should do this right away.”
Targeting People at the Bottom
On the other side, even people at the very lowest levels of the company can be targeted by social engineering attacks. A criminal might try to get access to a physical building by convincing the night cleaning crew that they’re an employee who forgot something important at their desk. Or they might call a receptionist to get information.
Jack heard about a scenario where the person wasn’t even a social engineer, but they used social engineering techniques. They wanted to know where a particular person was. They knew this person was in town, but didn’t even know what hotel. So they started calling every hotel in town, claiming to be a dry cleaning company trying to deliver the target’s dry cleaning. In the first four calls, the person wasn’t even in the hotel. But in the fifth call, the front desk person confirmed he was there and gave the room number. It was a social engineering attack targeted at the front desk person.
Targeting People with Access
Hackers also like to target people who have useful access. IT staff and IT administrators are common targets of social engineering attacks because hackers want their database access. A system administrator has access to everything in a company, including the CEO’s emails. A hacker could do a lot of damage with that access. Any employee who has access to any sort of internal system is a target. But the more access they have, the more likely they are to be attacked.
People Can Be the Strongest Link
People are often the weakest link in security. But they can also be the strongest link. People who are well-trained and know how to spot social engineering attacks and other issues can call out potential issues really well. There are tons of stories of people trying to do major bank robberies, but who got foiled by one person noticing something that didn’t quite add up and looking into it. Questioning things that are just slightly out of the ordinary can kill a hacker’s entire operation.
People are the weakest link, but they’re also the strongest link.Jack Rhysider
Social Engineering Attacks Target Individuals
Businesses aren’t the only entities targeted by social engineering attacks. Hackers target individuals too. A big one Jack has seen are attacks targeting people who have Bitcoin or other cryptocurrencies. All a hacker needs is their private key, and then they have their Bitcoin. Someone boasting on Twitter or other social media about their cryptocurrency might find themselves targeted by a social engineering attack. Anyone who has anything of value, even an ordinary bank or investment account, can be a target. People could also be hacked for other reasons, too, such as a jealous ex-partner or a cyberstalker. There’s a wide variety of motives for individuals to be hacked.
Some social engineering attacks can be very targeted, as well. A regular phishing attack casts a wide net. It might be a fake email sent to a million people that their Chase Bank account was compromised. But if the recipients don’t have Chase Bank, a portion of those emails just went nowhere. But if the hacker can take the time to know the target and their weaknesses – where they shop, what’s important to them, what school their kids go to – they can make a targeted message just for them. If you got an email from the principle of your kids’ school mentioning your kids by name, you’re probably going to click it. That’s what spear phishing is – creating a targeted attack for a specific individual. And when the attack is targeted for us, we’re more vulnerable.
How to Identify Social Engineering Attacks
Social engineering can target anyone at any time. If you’re not aware or not paying attention, hackers could easily catch you with their attacks. Knowing how to spot social engineering attacks and what steps to take if you think you’re being targeted can help you avoid disaster.
Attackers Try to Push You
Most social engineering attempts try to push you. They make whatever it is they want time-sensitive. They may call you at four o’clock on a Friday, for example, and say they’re sorry it’s so last-minute but they really need to wrap this but before going home. It’s really trying to trick you. We all want to be helpful, and that makes us vulnerable. To avoid falling into the trap, slow down. In this example, tell them you’re sorry but you’re just too busy, but they could call you Monday. Just take the time to notice that this person you don’t really know is trying to push you or rush you into acting before you think.
Watch out for when somebody that you don’t know is really trying to push hard on you.Jack Rhysider
Hang Up and Call Back
HR called to tell you that you didn’t sign your bonus check properly. They want you to go to a website so you can get it signed. On the surface, this could be legitimate. But how do you know? Hang up and call back on a number you know. Call HR’s number, or if you’re in the same office walk over and ask if someone called. Tech support scammers call and pretend to be from Microsoft, or IRS scammers call pretending you owe taxes. But you can just hang up, then call directly. Call Microsoft and ask if there’s really an issue with your license, or call your local tax center directly to see if you really owe taxes. Any legitimate organization will not have a problem with you calling back to verify.
Beware Payments Outside the Norm
Payments through Western Union are always a red flag. Jack once lost money to an online shopping scam. He sent the payment through Western Union. Once he realized it was a scam, he contacted Western Union, but they refused to even cooperate with a police investigation. Since then, he’s been convinced that Western Union helps, harbors, and protects scammers. The only reason you should use a service like Western Union is to send money to family members in desperate circumstances.
Gift cards is another payment method that is a warning sign. No legitimate person or company wants to be paid with Amazon or Apple gift cards. If someone is asking you to pay with gift cards, that’s a red flag – just don’t do it. In general, be aware of anything different from normal. If you always pay your utility bills with an electronic funds transfer and now they’re asking for your credit card, that’s suspicious. Anything that’s different from normal should make you ask questions.
Steps to Protect Yourself from Social Engineering Attacks
It is almost impossible to completely avoid being targeted by social engineering attacks. If nothing else, you will probably always be targeted by general phishing emails. But there are some steps you can take to make it harder for hackers to get into your stuff. You don’t need to have perfect security. It just has to be difficult enough. The more resources hackers have to use, the more likely they are to give up and move on.
When it comes to being hacked, it’s not always about outrunning the hacker entirely. You just want to outrun the other person next to you who’s slower.Jack Rhysider
Step 1: Update Your Technology
Always do any software updates that are available. It makes your tech life better and more secure. Update the operating system on your phone and computer. Update the apps on your phone and the apps and software programs on your computers. And once it’s updated, keep it updated. Updates patch security vulnerabilities and gives hackers less of a foothold to get in.
Step 2: Secure Your Passwords
Use a unique, crazy, wild password on every website that’s impossible to memorize. Since you can’t memorize it, you’ll need a password manager to help. A password manager is a tool that remembers the passwords for a website. You can make it as long and complex as you like, and when you go back to that website, your password manager will remember it. Jack isn’t talking about a built-in password remember tool in your browser. He’s talking about something like LastPass, 1Password, Dashlane, or NordPass. They will remember your password while being much more secure than your browser’s built-in option.
Step 3: Protect Your Email
When someone has access to your email account, they can look at all your emails, reset any other password you have for any other account, and get into everything. They can go to your bank account, click the “forgot password” option, and use their access to your email to create a new password. They can reset everything.
Years ago, we used to really protect our social security numbers. We didn’t like it getting out anywhere. Today, the thing to really protect is email. Don’t let other people have access, don’t share your password, and watch what other apps have access. Your romantic partner probably knows a lot about you. If you break up, make sure you change your password, because you never know what they might do with that later.
You really need to protect your email address because that’s access to everything in your world.Jack Rhysider
If someone goes into your email and changes the password, you could be locked out. But even worse, someone could get into your email and not change the password. They could just lurk in your account, reading your emails, resetting your other accounts, and deleting the emails so you’re none the wiser. Gmail gets attacked like this a lot, and they have some tools to help. At the bottom of the screen there is a list of the last few IP addresses connected, so you can spot unauthorized sessions. They also send you an email whenever a new device connects. But someone in your email could get that and delete it. That’s why it’s important to stay vigilant and check on things like that right now, not later.
Step 4: Know Your Weaknesses
Social engineering attacks use a wide variety of stories. Somewhere out there is one that could trap you. Some attackers are targeting older people and telling them their grandchildren are in trouble and they said to call them because grandma or grandpa will help settle the debts. Stimulus check scams are a popular social engineering attack right now. Some scammers gain enough information about you to collect unemployment in your name, even though you never quit your job or got fired. Jack heard a story yesterday about a scammer trying to sell fake pharmacy supplies from a fake illegal pharmacy. He sent it to a list of ex-drug addicts, thinking that someone just out of rehab would be even more likely than the average person to try and purchase opioids from an email.
You have to be aware of the vulnerabilities and weaknesses you have. Maybe you’re super compassionate towards stories of people with sick cats. Now someone is emailing you about their sick cat and how they need just two hundred dollars to take it to the vet. You are much more likely to fall for that social engineering attack because it’s an area you’re vulnerable. Recognize your weaknesses, and recognize that those are also areas people might try to scam you.
If you recognize these are your weaknesses, then you can also recognize that might be an avenue for someone to scam you.Jack Rhysider
The Dangers of Social Media
Social media is a nightmare and a dumpster fire right now. We put so much information online, for free. Criminals don’t even need to hack anything to find out so much about you. Even if you just post that you’re going on vacation, now everyone knows that your house is going to be empty for a while. There’s a ton of information that we give away freely that can expose us or make us vulnerable.
There is so much stuff people are giving away on social media free that any hacker can use to their advantage.Jack Rhysider
On someone’s social media, you can learn their sexual orientation, where they work, where they live, where they went to school, and who their friends and family are. Social media quizzes and trivia games even expose answers to common security questions, like the names of our first pets and where we went to high school. When Sarah Palin’s email got hacked, the hacker didn’t even have to use hacking skills or social engineering attacks. They went to Gmail, put in her address, and clicked the “forgot password” option. The security question was where she went to high school – something everyone knows because she boasted about it on TV all the time. And they got in.
Jack is a big advocate of privacy. He doesn’t like posting anything on social media. You’ll never see a picture of his family on his page. In the 1990s, we wrecked the environment and it’s going to take decades to come back from. Right now, we’re doing the same with privacy. So much of our information is out there that it’s going to take decades after we realize our mistake to clean it up.
An In-Depth Look at Social Engineering Attacks, Hacking, and More
On the Darknet Diaries podcast, Jack gets even more in-depth about scams, hacking cases, and social engineering attacks. Social engineering in particular is a favorite of listeners. He has a lot of episodes about people who get hired to break into offices and see if they’re secure. He also talks to criminals about how they actually broke in, and to law enforcement about how they catch criminals and what mistakes the criminals make.
It’s a fun show where you can learn about the technical aspect of what’s going on and how it works. For a lot of people, that’s top of mind right now. Hackers are breaking into everything. The immediate mental image is a guy in a hoodie in a basement somewhere. But often, that’s not accurate. This person got access with a password written under the keyboard. Is that even hacking? It helps you understand that for many “hacking” things, it’s not as complicated as you might think. It’s eye-opening for many people.
- Easy Prey Podcast
- General Topics
- Home Computing
- IP Addresses
- Networking Basics: Learn How Networks Work
- Online Privacy
- Online Safety
You’ve probably seen them somewhere. A sign by the road, an ad on a billboard, or even…[Read More]
Student loans came out of their forbearance period and payments resumed towards the end of last year….[Read More]
A virtual kidnapping call can be terrifying - that's why it's important to be prepared in advance.[Read More]
If someone asked you if you want the messages you send and receive to be private, you’d…[Read More]