More and more people hear about social engineering, and they also find out that social engineering is the most extended attack surface threat in cyber security. Social engineering also happens to be one of the most popular attack vectors in the virtual space, and that is because anyone that has social and communication skills can do it, no education or degrees and also no coding skills required.
There are a lot of stories about a huge diversity of cons, scams, mind tricks and we know an attack might come over the phone, over e-mail, through a letter or even by physical impersonation. The objective is also immensely diverse, from credentials harvesting to obtaining financial benefits, all kinds of information, secrets, intelligence, personal details or just jumping the queue of a cashier´s desk with the classical “Sorry, I have a small baby waiting for me in the car …”. So if you don’t know what they will want from you, you don’t know who they are or how they look like and you also don’t know what persuasive means they will use, how do you protect yourself?
Let´s take the example of an image from an Instagram comment by some user who’s message was “Did you know you cannot comment your password?”. Simple and effective, this message led to a significant number of users posting their passwords in the below comment section. Not only is this huge because of the ingenuity of the means but also huge because of the strong impact and the effective psychology that this short and simple message contains. And what is even more important: it is the perfect example of an attack that is difficult to see coming.
First of all, the psychology of the message is “You cannot do <something>” and this is a message to which most of us would answer “Yes, I can”, just because our ego comes into play. This human stubbornness and will to persevere also explains why the affected users did not come back later to delete their compromising comments and you can even see the same user posting his/her password and then comment below “yes you can”. But then there are more tricks involved in it. Most of us would expect phishing to look for us, a message in our mailbox, a phone call to our number, the phone company guy to our door. In this case we visited a post, an account, it is our choice and unfortunately that makes us lower our defenses just enough to ensure the success of the scam.
YES. One of the main rules insisted upon during any awareness training is: “Under no circumstances let others know your credentials, not your family, not your colleagues, not your CEO, nobody!”
Even for the most security educated among us there are times when scams are so well engineered that they cannot be avoided by our common sense. Information security teaches us about the importance of the multi-factor authentication which is that extra layer of security needed in these extreme situations. Secure any account with multi-factor authentication and do not use the same password for multiple accounts to reduce the impact in the case of disclosure.
The truth is that no expert can prepare you for the extremely vast imagination of a bad guy. But in cybersecurity, like in a lot of other fields, there will be always simple rules that can make a difference in times of complex trouble. To conclude, most of the time in cybersecurity, we should not be worried about a one´s skill set, we should be worried about a one´s mindset and that is: his patience, his persuasion, and his will to succeed. The impact is extremely critical since, according to a KnowBe4 2020 whitepaper, 70% to 90% of all the big breaches are nowadays caused by social engineering and that includes the scariest attack of our times, ransomware!
Be prepared, stay safe!