This is one half of a two-part story. Read the related article, Be Prepared: The Top ‘Social Engineering’ Scams of 2017.
The Little Red Riding Hood version of the current trend in hackings goes something like this:
Victim, looking at a hacker who they expected to be an unsociable computer nerd: “Hacker, what good people skills you have!”
Hacker: “The better to access your accounts with.”
Nowadays, computer skills are not the only job requirement for hackers. Many attacks simply involve persuading unwitting targets or company employees or customer service agents to open the doors for them into accounts of all kinds — email, bank accounts, and even phone numbers, from which they reset passwords to the victim’s email and financial institution, etc.
Chris Hadnagy, chief human hacker of Social Engineer, which educates companies on not falling victim to social engineering attacks, says, “When we talk to consumers or business people, they say, ‘I would never fall for those things.’ They don’t believe it till it happens to them.”
But social engineering is now used in 66% of all attacks, and in the company’s own tests, 90% of people they’ve tested offer up the spellings of their name and email address without confirming the identity of the person making the request, and 67% do the same with Social Security Numbers, birthdates and employee numbers.
While in the related article, I cover the current top three social engineering scams, the hackers are opportunistic and constantly changing tactics. For instance, many of them exploit natural disasters. “If there’s a tsunami, hurricane or an accident, within hours, you can pick up on scams that are impersonating charity organizations, trying to take collections from people,” says Michele Fincher, chief operating officer of Social Engineer.
Similarly, when Target was breached, compromising up to 110 million customers, Target offered those customers free credit monitoring via email. The hackers caught on and “they started sending emails to all the Target customers saying, ‘Hey, don’t forget to sign up for your credit monitoring here. Download it here,'” says Hadnagy. “And why wouldn’t someone trust it? It was branded from Target and looked the same.”
Fincher also says that they take their time and do their homework: “If they’re interested in you as an individual, they find out what motivates you.” Then they try to contact you in a way that will elicit an emotional rather than a rational response — by making you angry or curious or frightened, or putting you in another emotional state that would lead you to let down your guard.
So, while it’s very good internet hygiene to use random, unique passwords at every site and to make sure your email addresses and phone numbers are not connected to each other or that your public phone numbers and email addresses are not connected to your most sensitive accounts (follow the instructions in this article to learn how), you should also employ other, less technical behaviors to secure your accounts.
1. Never give out information by clicking a link or when someone calls you.
For example, if you’d been a Target customer whose account was compromised and received an email inviting you to sign up for free credit monitoring, you would avoid clicking the link you received in your email and instead go straight to the Target website. Or, with the IRS scam outlined in the related story, “If the IRS says you’re late and owe this money, get the account number, and call the IRS back and ask, Is this real? Do I really owe money or not? It takes longer, which is why people don’t do it, but it’s worth it to take the time to make the call,” says Hadnagy. The most important step is to verify that the person or organization you are speaking with truly is who they claim to be.
2. Beware of any messages that elicit an emotional response.
“If a message makes you extremely emotional in good or bad ways, or very interested, that’s something to give you pause,” Fincher says. “If you’re into animals or children’s causes or sports, or if you want a kind of car, these are things that will make us react and unfortunately, those are the things malicious attackers take advantage of,” says Fincher.
For instance, in a scam tied to the holiday season, hackers were luring victims by offering them discounts to items they had placed on their Amazon wish list.
3. Don’t put anything on social media or online that you wouldn’t want hackers to know.
“We’re not anti-social media, but usually we’ll tell people, ‘You need better critical thinking,'” says Hadnagy. “If you’re willing to use FourSquare, then you need to be aware your geolocation is not private. Don’t assume that just because you’re you that people aren’t looking at your Facebook.”
Whatever you put on Facebook, especially if it’s set to public (although even private posts could easily be screenshot or copied by any of your Facebook friends or anyone who has hacked their account), assume that it is now public knowledge. So if someone sends you an email or calls you and seems to know a lot about you, it may simply be because they’ve read your Facebook posts.
The same goes for Twitter, LinkedIn,Instagram, FourSquare, Google Plus, Tumblr, etc. (Read this story for a more detailed description on the ways the information from various social media accounts can be used by a hacker to convince a customer service rep that they are you.)
Just as individuals do, companies need to be careful about what information they disclose about themselves. “Companies have a hard balance to strike, because they have to be transparent,” says Fincher. “They have to be able to communicate with their clients, business partners and investors, so they have to strike this balance between ‘these are all the great things we’re doing’, vs. ‘what information are we putting out there that an attacker can use to get in the organization.'” So if a company announces it is going to partner with a great software developer, that is also information an attacker can use to social engineer a hack into the company’s systems.
4. Know what information about you is available in public records.
Although what is public record varies state by state, a hacker may be able to glean from public databases your home address via property records, your marital status, traffic tickets, the vehicle identification number (VIN) to your car and more.
“If I find a traffic ticket issued to you or maybe you sold a car, and I have a VIN number, and I could reference all that in an email to you that looks really convincing,” says Fincher.
5. Google yourself.
“People say, ‘I don’t want to Google myself because it seems self-absorbed,’ but I think doing that is really important because it gives you a sense of what is out there that you may not even know is out there,” says Fincher.
After following this tip from Social Engineering, some people realized that others had talked about them on a forum, or found out their personal information had been breached because they saw their information on Pastebin, says Hadnagy.
Also be aware that some sites such as Spokeo specialize in data aggregation on individuals, compiled from both free and paid databases. “You can request to have your information removed, but once you plug up one hole, there’s going to be another one,” says Fincher.
6. Keep tabs on what your friends and family might post about you.
“You could be the most locked down person in the world, but your mom might not be,” says Fincher. “If your mom posts about you or tags you in photos or if someone has a wedding and announces who attended — there are so many different ways. Trying to plug up some of those holes is reasonable but it’s not your only solution.”
7. Any information you use to identify yourself for any account should not be available anywhere online.
“If you’re silly enough to use your pet’s name as a password,” says Hadnagy, “your pet’s name should never be online.” Ditto with answers to security questions. If your password includes your wedding anniversary, never make that date public — or even available as private information to your Facebook friends.
Sometimes people fill out lists of questions on Facebook, such as “Tell us about your SENIOR year of high school!” (This is an actual post I saw last week.) This one then asked questions such as what year they graduated, what kind of car they drove (first make and model of car is a common security question) and their high school mascot (another common security question).
But you don’t even need to publicly state your high school mascot — if you’ve posted the name of your high school on LinkedIn or Facebook, the answer to that security question is a quick Google search away.
Read the related story, Be Prepared: The Top ‘Social Engineering’ Scams of 2017.