To ensure success hackers often use multiple approaches to the same problem. These may be technological in the hacking tools they bring to bear or in the knowledge of vulnerabilities that can be exploited, but they also make use of Social Engineering.
Social Engineering is the use of psychological tricks against people to get them to do something against their interest or to the benefit of the attacker. Social Engineering has been around for a lot longer than the phrase, Con Men and Scam Artists have made use of the same techniques for centuries in order to get what they want.
One of the best examples of Social Engineering is the Greek’s leaving behind a large wooden horse after pretending to give up on the decade long siege of Troy (https://en.wikipedia.org/wiki/Trojan_Horse). Even the term Trojan is used in cyber security to indicate a malicious program that pretends to be something it’s not (e.g. an innocuous program or browser plugin that contains a key logger).
Hackers make use of Social Engineering as it’s often quicker to convince someone to perform an action or give up some information than it is to find and exploit a technological vulnerability.
They make use of multiple strategies to help achieve their goals:
- Phishing and Spear Phishing – Spammed or targeted emails that aim at getting the victim to hand over information, take an action or to activate a malicious attachment/website. Fun Fact: scammers often deliberately include spelling mistakes to single out more credulous people.
- Pretexting – Where scammers need to operate in-person (either via a phone or face-to-face) they’ll spend time crafting a plausible reason as to why they need what they’re asking for. Unlike phishing attacks which use urgency coupled with fear (either of missing out or of some repercussion), pretexting relies on building trust with the victim in order to make use of them.
- Baiting – Relies on people receiving “something for nothing”. For example usb sticks can be put in a reception area or organisation’s car park, often with a juicy label like “Redundancies 2017” in the hope that people will be curious enough to pick up the device and plug it into a machine. Once that’s done the machine can be compromised in seconds, often installing back doors and “phoning home” to the attacker for exploitation at their leisure.
- Quid Pro Quo – In order to instil a sense of obligation an attacker will offer help in some form with the expectation that the user will respond in kind to a request from the attacker.
- Tailgating – Our final example is tailgating where someone who lacks authority to enter a particular area follows behind someone who has access. This can be as simple as impersonating a delivery driver with a package or being in a common smoking area and following other smokers back into the building.
In order to reduce the risk to yourself and the university be aware of red flags when dealing with people. Some red flags include unsolicited urgent communications with implied threat/benefit and strangers looking for the benefit of the doubt.
But also take into account the sensitivity of information you’re being asked for or the impact of an action you’re being asked to do. Hackers and scammers can do very little without your help!