This post is part of the series, SmallBusiness.com Guide to Business Computer and Tech Security: Advice, alerts and information about digital security threats faced by small businesses. You can browse other posts in the series below.
When reading about celebrities having their personal accounts hacked, you may run across the term “social engineering” as a method the cyber criminals used. It’s important that everyone who works in a small business understand the ways cyber criminals use methods that fall under this label, even those who don’t work full-time in front of a screen.
To be more clear, the term “social engineering” refers to a type of hacking that resembles a confidence game, or “conning.” Essentially hackers are trying to get someone to provide them with a missing piece of information, one they need to put together an elaborate puzzle to be used in gaining access to an account. A well-known “beginner” type of social engineering is “phishing,” where a cyber criminal sends out mass emails that appear to be from a bank or another type of business with whom someone may have an account. The hacker hopes a victim will click through to a fake login page where they will provide their username and password.
But social engineering schemes can be far more complex and extremely elaborate than the ham-fisted phishing approach. Here are a few more examples of social engineering, and ways you can recognize the con.
Quid pro quo
The familiar Latin phrase “quid pro quo” simple means “something for something.” In this con, an attacker calls random numbers at a company claiming they are technical support calling back for some software, app, device, telephone line, etc. (We once had someone claiming they were from “Twitter” call us. We hung up as we doubt they have phones at Twitter.) The hacker will do this until they find someone with a legitimate problem then “help” them solve it and, subsequently, obtain a bunch of commands that gives them access to do as they please (launch malware, for example).
No, this isn’t when an attacker steals your freshly-ketchuped hotdog at a parking lot picnic before a college football game (though, that’s frustrating); this is when, appearing like an employee, an attacker walks into a secured area behind an employee with access. The employee, spotting this person, may assume the attacker is supposed to be there and hold the door for them. Even if the employee asks to see identification, the attacker may claim they forgot or lost it, or present a believable fake.
Cracking your email
One of the more recent scams has involved attackers hacking popular email accounts like Yahoo, Gmail and Hotmail. Posing as the user, they will steal credit card information, passwords and other valuable information, OR take your chat histories and manipulate them (using photoshop) to blackmail you or create distrust. With this, they can also hack company websites and attempt to ruin reputations.
Inform your employees to never reveal a password to an email or other sensitive account. If it is necessary to provide a password in a unique situation, seek advice from your technical staff or consultant.
(Feature image: Sofi via Flickr)