You likely own a desktop or laptop computer, a mobile phone, or a tablet, or are a fan of online gaming. Each of these things makes you a target for a social engineering attack from a malicious actor.
A social engineering attack happens when we’re manipulated to give up information such as our social security number, banking passwords, credit card numbers, and other private details so they can steal our money, and in some cases, our identity.
Social engineering as a concept is nothing new – the term was coined by Dutch industrialist JC Van Murken in 1894 and refers to any method used to exploit human vulnerabilities in trust, perception, and judgment, preying on the weaknesses of greed, fear, and desperation. Cybercriminals have taken a page from that playbook and molded it to serve their nefarious purposes.
Today’s social engineers grow ever more sophisticated in their quest to keep up with and defeat modern network security. So, how do you keep yourself and your employees and winery safe? In this article, we’ll examine the most common techniques and how to spot and defeat them.
Phishing: A common technique we fall for daily
Phishing is the most common social engineering technique. The attacker sends an email or text posing as a trusted source, such as your bank, a vendor, a personal contact, or a shipping company.
Their objective is to gain your trust so that they can easily convince you to give up sensitive information or click on a link they’ve provided to give them access to your device.
This attack preys on human nature, and everyone is at risk – even those you would expect to have both top-notch security and a jaundiced eye. These emails and texts look credible, and few of us take the time to verify if the message was sent from a valid source. However, it’s important to take the time to spot the red flags.
Here are some things to look for:
- A sense of urgency. Often, you’ll be urged to do something immediately, or you or someone you care about will be in trouble.
- A generic greeting. Instead of being addressed by name, you’ll see “Dear customer,” “Hi,” or something equally nonpersonal.
- You’re urged to click on a link. Just don’t do it. This method is common in both texts and emails.
- A suspicious domain name. That email is supposed to be from your bank, but the domain name it is sent from includes Gmail, Outlook, Hotmail, etc.
- You’re being asked for money.
- Spelling and grammatical errors. These can happen in many places. For example, you’ll get an email from your friend, Mary Smith. You just glance over the name, but if you look at it closely, you’ll notice that Mary is spelled “Mery,” or Smith has an “e” at the end.
Most phishing attempts prey on fear and depend on your sense of urgency to solve a problem. Unfortunately, those types of emails are the ones most people click on.
Pretexting: warming you up, then coming in for the kill
In pretexting, an attacker creates a false scenario or identity to gain someone's trust and extract sensitive information from them. They may pose as a colleague, customer service representative, or even law enforcement. These attacks can come over the phone, in person, or over email.
Using a legitimate-looking message format and even real logos, the bad actor presents a convincing story designed to lull you into a false sense of security that puts them in a better position to launch a future attack. Pretexting dodges security technologies like domain-based message authentication reporting and conformance (DMARC) that stop using fake email addresses.
While pretexting may seem similar to phishing, rather than being an attack itself, it’s setting you up for a future attack to obtain personal information such as credit card numbers and passwords, send money, or download malware. Some common techniques include:
- Pretending to be a loved one who needs money.
- Using catfishing to form a long-term relationship that includes making many large requests for money or goods.
- Masquerading as a potential employer requesting personal information such as a social security number or bank account information.
- Posing as an IRS agent and demanding immediate payment of overdue taxes.
- Pretending to be someone who works for a credit card company and asking you to confirm your account details.
This technique is especially effective over the phone. As Chief Hacking Officer of KnowBe4 Kevin Mitnick says, criminals will attempt to create a “trust sandwich.” Humans tend to remember the beginning and end of conversations, but rarely the middle. So, social engineers strategically place sensitive questions in the middle of the conversation to reduce the likelihood of you remembering them later.
Throughout the call, criminals will elicit information from you by taking guesses about your life. For example, they may say, “And your credit card is Visa, correct?” If you are unaware of this tactic, you will likely confirm this guess if it’s true or correct it if it isn’t. Either way, the attacker is getting more information they want.
Do not fall victim to the “trust sandwich.” Be extremely particular about whom you give your personal information to over the phone, and never give out private information to an incoming unknown caller, emailer, or texter.
Baiting: simple yet deadly
Perhaps the simplest attack is baiting, a highly effective technique because it exploits our natural curiosity.
Attackers intentionally leave infected USBs in common places like a company parking lot, an elevator, the bathroom, etc., and wait.
If you found a USB on the tasting room floor, what would you do first? Most people would plug it into their computer to find out what’s on it and to whom it belongs.
Unfortunately, curiosity probably just infected their computer with malware, ransomware, or perhaps something even nastier that will cost them and/or their company immensely.
As a general rule of thumb, NEVER insert unknown devices into your computer. We all know that curiosity killed the cat. Don’t let it be the reason your identity gets stolen, or your winery loses six months’ profits.
Spear phishing: small but mighty
Spear phishing attacks comprised only 0.1% of all email-based attacks in 2022 but were responsible for 66% of breaches. This type of phishing attack targets specific individuals or organizations with malicious emails. The goal? To steal login credentials and other sensitive information or to infect with malware.
Spear phishing is so effective because hackers really do their research. They become experts at crafting and personalizing messages, so they appear completely legitimate.
These attacks once again take advantage of human nature, including a desire to help, offering a positive response to authority figures, and our natural curiosity. Defeat a spear phishing attempt by checking the sender's email address and name for errors, and don’t click on any links without verifying their authenticity.
Identify the link's legitimacy by hovering over it to see the complete address. Don’t click on it if it looks suspicious. Be sure to scan all attachments with anti-virus software.
Establish the right mindset.
Be suspicious – plenty of bad actors out there will steal everything from you without batting an eye. And remember that you can never be too safe with your information.
You can win this fight with training and knowledge. By partnering with a managed services provider committed to robust security and employee training, you can get ahead of hackers.
Endsight is an acknowledged leader in cybersecurity. Year after year, we’ve won a CRN Managed Service Provider 500 award in the Security 100 category. We provide complete technology support solutions to create optimal IT management and human-friendly technical support with cybersecurity experts that keep you one step ahead of attackers.
We take a multi-layered approach to security and know that firewall configurations, spam filtering, protocols, and advanced AI tools can only go so far. That’s why we also provide cybersecurity resources, such as ongoing training.
You can’t be too careful these days. Hackers are coming up with new social engineering ploys every second. It pays to have the right security technology in place and well-trained, attentive employees. Protect your winery from cybercriminals. Reach out today.