How Hackers Use ‘Social Engineering’ and How to Prevent It

red riding hood

This post is part of the series, SmallBusiness.com Guide to Business Computer and Tech Security: Advice, alerts and information about digital security threats faced by small businesses. You can browse other posts in the series below.

  1. Lynda.com Alerts 9.1 Million Users After 55,000 Accounts Are Breached | December 2016

  2. What Does HTTPS Mean? And Why a Small Business Website Needs the ‘S’

  3. Yahoo Security Breach is Another Reminder of Why Password Protection is Critical to Your Business

  4. Homeland Security Tips for Choosing Harder to Hack Passwords

  5. Passwords Are Stolen Everyday; How to Protect Yours From Being One of Them

  6. How to Recognize and Avoid an Attempt to Crack Your Two-Step Verification Passwords

  7. How Voice Recognition Software is Being Used to Detect Cyber Criminals

  8. How to Avoid a New Cyber Attack Attempting to Access Small Business Bank  Funds

  9. Seven Resolutions for 2016 That Will Help Protect Your Small Business Computers

  10. Top Ten Free Antivirus Utilities For Your Small Business | 2016

  11. Most Small Businesses Have No Cyber Attack Response Plan

  12. If Your Business Bank Account Gets Hacked, Your Bank May Blame You

  13. Why You Should Still Use a Password Management System, Even if You Heard One Was ‘Hacked’

  14. Advice From Google on Avoiding Scams Directed at Small Businesses

  15. More Tips for Actively Managing Your Passwords

  16. What Small Business Customers Should Know and Do About the JPMorgan Chase Cyberattack

  17. How Hackers Use ‘Social Engineering’ and How to Prevent It

  18. Ten Tips From the FCC for Improving Your Small Business Cyber Security

  19. Password Protection Advice from SmallBusiness.com

  20. Ebay Asks 145 Million Users to Change Passwords

  21. What is Two-Step Verification and Why You Should Start Using Them

  22. How (and Why) to Use a Password Management Application

  23. How to Reduce the Odds of Being Hacked While Using Public Wifi

When reading about celebrities having their personal accounts hacked, you may run across the term “social engineering” as a method the cyber criminals used. It’s important that everyone who works in a small business understand the ways cyber criminals use methods that fall under this label, even those who don’t work full-time in front of a screen.

To be more clear, the term “social engineering” refers to a type of hacking that resembles a confidence game, or “conning.” Essentially hackers are trying to get someone to provide them with a missing piece of information, one they need to put together an elaborate puzzle to be used in gaining access to an account. A well-known “beginner” type of social engineering is “phishing,” where a cyber criminal sends out mass emails that appear to be from a bank or another type of business with whom someone may have an account. The hacker hopes a victim will click through to a fake login page where they will provide their username and password.

But social engineering schemes can be far more complex and extremely elaborate than the ham-fisted phishing approach. Here are a few more examples of social engineering, and ways you can recognize the con.

Quid pro quo

The familiar Latin phrase “quid pro quo” simple means “something for something.” In this con, an attacker calls random numbers at a company claiming they are technical support calling back for some software, app, device, telephone line, etc. (We once had someone claiming they were from “Twitter” call us. We hung up as we doubt they have phones at Twitter.) The hacker will do this until they find someone with a legitimate problem then “help” them solve it and, subsequently, obtain a bunch of commands that gives them access to do as they please (launch malware, for example).

Tailgating

No, this isn’t when an attacker steals your freshly-ketchuped hotdog at a parking lot picnic before a college football game (though, that’s frustrating); this is when, appearing like an employee, an attacker walks into a secured area behind an employee with access. The employee, spotting this person, may assume the attacker is supposed to be there and hold the door for them. Even if the employee asks to see identification, the attacker may claim they forgot or lost it, or present a believable fake.

Cracking your email

One of the more recent scams has involved attackers hacking popular email accounts like Yahoo, Gmail and Hotmail. Posing as the user, they will steal credit card information, passwords and other valuable information, OR take your chat histories and manipulate them (using photoshop) to blackmail you or create distrust. With this, they can also hack company websites and attempt to ruin reputations.

Bottom line

Inform your employees to never reveal a password to an email or other sensitive account. If it is necessary to provide a password in a unique situation, seek advice from your technical staff or consultant.


(Feature image: Sofi via Flickr)