Halloween is a great time for people of all ages to let loose and embrace their spookier, darker side--even though they aren’t. For hackers, however, every day is like Halloween, but with ill intentions. Hackers will pretend to be someone they’re not in order to scam you out of sensitive data or personal information. By identifying their tricks, you can keep hackers from getting their treats.
The aforementioned tricks are typically characterized as social engineering tactics, where a hacker will trick users into thinking that they’re a trusted organization, or even someone within their own business. Unlike those who participate in Halloween dressed in silly costumes, it’s not so easy to distinguish a social engineering attack from normal everyday occurrences. This is what makes the trick so convincing. Therefore, it’s imperative that you know what to look for, and how to address it properly. Also, in the same way you check your kid’s trick-or-treat candy for anything that might be harmful, you need to view unsolicited digital communications with a degree of healthy skepticism.
The unfortunate fact is that social engineering attacks (including phishing scams) work, which is why they’re commonly used by hackers. Even the most vigilant user can fall victim to a social engineering scam, which prompts people to wonder what makes a social engineering attack so effective. Researchers from the University of Erlangen-Nuremberg in Germany decided to pursue this thought and performed research into what makes people want to click on suspicious links.
Zinaida Benenson presented the university’s findings at the most recent Black Hat convention in Las Vegas. It was discovered that the success of social engineering attacks was largely due to the hacker understanding the circumstances of the scam and personalizing the link to appeal to the victim at that specific time: “By a careful design and timing of the message, it should be possible to make virtually any person to click on a link, as any person will be curious about something, or interested in some topic, or find themselves in a life situation that fits the message content and context."
In other words, proactive training and education aren’t enough. Even the best employee could click on a link that aligns with their personal interests. ZDNet uses the example of an employee who has recently attended an event and is then sent a link to an online photo album containing memories of the event. The user will want to click on the link to see what the photos are, regardless of who it’s from. Once he has done so, the hacker succeeds; he has appealed to the natural curiosity of the user, and thanks to the timing of the message, the user is almost guaranteed to click it.
Another common example is an employee who is experiencing persistent technical trouble with their workstation. They might receive an email from “tech support” claiming that the problem can be resolved by downloading remote access software. The frustrated employee will click on the link because it fits their current needs and situation and because users typically trust tech support.
Just like how it takes energy to build an impressive Halloween persona, these hackers require immense time and preparation in order to successfully pull off a social engineering scam. These types of personalized attacks make social engineering scams challenging to protect yourself against. Yet, not all hope is lost. Educating your employees on security best practices and implementing spam blocking solutions designed to eliminate spammy emails may be the best way to avoid a fright.