Modern Life

The biggest threat to your online security is you

Luckily, there are ways to protect yourself from the smooth talk of “social engineers” who want your private data.

By Garage Staff — October 16, 2018

You get a call from someone who greets you by your name and title and says they’re in the IT department at your company. A number of employee passwords have been stolen, he says, so you need to change yours right now. He then instructs you on how to change your password, explaining that it must include certain characteristics. “What’s your new password?” he asks. This should stop you cold, since no legitimate company or employee will ever ask for your password. But at this point you trust him, and you’re in a rush. So you tell him.

Unfortunately, that “IT professional” was a hacker, and you just made his day.

The playbook he used is called social engineering, a common form of hacking that tricks targets into giving up sensitive information. Instead of exploiting technology’s weak spots, social engineering exploits human vulnerabilities.

This type of threat is now what worries cybersecurity professionals most, according to a survey conducted at 2017’s Black Hat cybersecurity conference. The tactic was again a hot topic at the 2018 Black Hat conference, which was sponsored in part by HP.

Be suspicious, especially if someone asks you to bend any rules.

Getty Images

Be suspicious, especially if someone asks you to bend any rules.

On the horizon, algorithms listen in

During a panel discussion called “Pwning Social Engineers Using Natural-Language Processing Techniques in Real Time," Ian Harris, a professor of computer science at the University of California, Irvine, and Marcel Carlsson, a principal consultant at Lootcore, discussed how they’re using natural-language processing, a form of algorithm in which computers evaluate and analyze human language, to quickly identify social-engineering attempts by the words the scammers use.

Harris and Carlsson’s tool reads the dialogue between hacker and target and intervenes when it detects someone asking an inappropriate question, such as “What’s your password?,” or issuing an inappropriate command, such as “Click on this link.” While demonstrating the tool, the duo successfully detected a number of malicious social-engineering attempts. The technique is particularly exciting because it can identify these types of attacks over the phone or in person as well as via email or text. Generally, cybersecurity researchers look at email subject lines or metadata to find signs of malicious social engineering, but Harris and Carlsson are looking at the actual words a hacker would use.

 

How to protect yourself

For now, even without  protective technology to thwart hackers, familiarizing yourself with the techniques used by these scammers can lessen your risk of falling for them.

Hackers use social engineering to cloud our judgment and persuade us to make decisions against our own best interests. “If something sounds plausible or familiar, or we’re worried or tempted by a reward, we may not use our best judgment, at least some of the time,” says Jenny Radcliffe, an expert in social engineering and negotiation known as The People Hacker. “All of us can be fooled by this type of con; we are all vulnerable to the right script at the right time.”

Hackers use social engineering to cloud our judgment and persuade us to make decisions against our own best interests.

The most common tactics these hackers use to prey on human weakness are phishing and baiting.

In a phishing scam, the hacker impersonates a real website or company to trick the target into clicking on malicious links or signing into a fake site, thus giving up their password or other personal information.

Baiting entails an offer of some sort of prize or gift, such as a free USB drive or movie download. When you plug that drive into your laptop or download that movie, you may also be infecting your computer with malware.

Note your stress level

These types of scammers often use fear, flattery or greed to get you to do what they want, says Radcliffe: “A malicious social engineer is looking to create an emotional state in the target.”

The best way to thwart these attempts is to be suspicious, especially if someone asks you to bend any rules or makes you uncomfortable in any way. “If you feel rushed or emotional, if money is involved, or a lot of operational details are required, take a moment to assess the person’s request,” says Radcliffe. Tell them you need to verify their identity and affiliation and that you’ll call them back after doing so.

Always remember, Radcliffe adds, that “it’s better to slightly inconvenience a genuine person than to make life easier for a con man.”

 

For more privacy tips, check out this piece on PC security.