Sounds like a deep, complex issue, but it’s really pretty simple. Cyber criminals do not spend their time throwing around esoteric behavioral principles in discussions about how best to ply their crooked trade. They just know a sucker when they see one. The defense against that is both simple and complex: just don’t be a sucker.
What is social engineering in simple terms?
There are two definitions of social engineering – only one of which is part of this discussion. The first is not. Oxford Languages first definition is: “1. The use of centralized planning in an attempt to manage social change and regulate the future development and behavior of a society.”
The concern here is Cybersecurity. We are not going to get into social discussions about things like what pronouns we should use in referring to people.
What is up for discussion here is the second definition, which directly impacts network security. It is also from Oxford Languages: “2. (In the context of information security) The use of deception to manipulate individuals into divulging confidential or personal information that may be used for fraudulent purposes.” For example: "People with an online account should watch for phishing attacks and other forms of social engineering".
In essence, this definition describes an aspect of social engineering which can serve as a ‘sucker-making’ tool. It is the art of duping someone into doing something stupid – or not worrying about very real threats.
This type of social engineering is trickery based on human nature. It is designed to get you to do things that you should have thought about first – things which may or may NOT be in your best interests – or in the best interests of your company.
How does this affect the security measures put in place by your IT support? Simple: it thwarts them. There is no cyber-defense – no firewall or AV (Anti-Virus) that will keep an unthinking or untrained employee from being fooled into letting malware into your system.
Damage can be kept to a minimum by a good Managed IT Services provider. Here at ITFirm.com, we have certainly had clients who unwittingly clicked a malicious link, but our system contains the malware within that single workstation to prevent access to the larger network. This makes it a matter of an hour or two to remove the malware, wipe the workstation clean, and then reinstall the data from secure backups.
Many phishing scams simply appeal to a universal human weakness: Greed. “You’re a WINNER! Click on the link below to collect your winnings!” All those infamous scams from strangers who have tens of millions of dollars in accounts that are frozen – but with your five thousand dollars, they can free up the cash and repay you with a million dollars. Sadly, people really do fall for this garbage.
They often use a more sophisticated approach by finding key personnel in a business they plan to attack, poring over their social media, and coming up with a phishing ploy that makes the target think they know them. Crooks learn enough about you to exploit your human weaknesses, which are often benign. From Facebook, they can learn if you’re married, have children, or pets as well as their names – all vulnerable areas that can be exploited in phishing emails.
A while back, we saw a phishing email that was a particularly cruel and malicious in an attempt to get a married man to click on an attachment containing malware.
The email appeared to come from a legitimate law firm, stating that they had been retained by the man’s wife to initiate divorce proceedings. It informed him that the divorce papers were attached, but they were not divorce papers and his wife was not leaving him: It was Ransomware.
Suppose you get an email that appears to be from your child’s school, saying “There’s been an accident and we couldn’t reach you by phone - your child has been taken to the hospital below” – and there’s a link. This socially engineers you into an emergency state where you may not stop to think before you click. Do nothing until you call the school (NOT using any phone number from the suspect email).
At ITFirm.com, our clients usually know to stop, think, and forward the email to our IT HelpDesk. However, even with our urging for ongoing Security Awareness Training, human nature dictates that people get careless when they are busy or, as in the examples above, stressed. Any reputable member of the Charlotte IT Support Community knows that if an end-user makes a thoughtless click, all the firewalls and Anti-Virus (AV) in the world cannot prevent that workstation from becoming infected.
Frequently Asked Questions
Q: Is social engineering a cyber crime?
A: In and of itself, no – it is perfectly legal - in the same way that owning a car is not illegal. Using that car to purposely run over someone IS a crime. It’s a fine line – cyber crooks don’t play these games for no gain.
Q: What are the 4 types of social engineering?
A: The most common types of social engineering that affect the IT Services community are 4 different, yet similar tactics that all have the same end in mind: getting you to click on something you shouldn’t. Any suspicious email that meets these criteria should be forwarded to your IT support for analysis:
1) Baiting: This ploy uses a false promise or enticement that appeals to your curiosity or greed.
2) Phishing/Spear Phishing: These occur primarily through email and texting – usually masquerading as a legitimate source, like FedEx, your bank, the IRS, and so forth. These create a ‘call to action’: You must check the tracking on a FedEx package; change your password; verify your account number or Social Security Number etc. There is always a link or attachment to click on – DO NOT CLICK!
3) Pretexting: This is also involved in the other three types of scams: The cyber crooks pretend to be someone they’re not: Trusted parties, your boss, your friend or relative. When your friend ‘Bob’ emails you with the subject line: ‘I think you’ll get a kick out of this’ and provides a link – stop and think: Does Bob regularly send you this type of thing?
4) Scareware: These are meant to cause alarm. One of the most common is ‘Your computer may be infected. Click here to remove the virus.’ NO – the truth is that you click there to GET the virus.
Q: Why do employees need to be trained in cyber awareness?
A:It is the most effective tactic to reduce cyber incidents. No matter how well prepared your IT team is – an employee that unwittingly triggers an attack stops all productivity for a period of time – even if only at the one affected workstation.
Q: How often should user awareness training be done?
A: The most common time range is insufficient: once a year. To allow for the highest standards of Cybersecurity, ITFirm.com, along with The Advanced Computing Systems Association (USENIX), recommends that Security Awareness Training be repeated every 4 months.
How Secure is your network?
Also, as a longstanding, reputable member of the Charlotte IT Support community, ITFirm.com offers a FREE, no-risk network and Cybersecurity assessment. We perform a non-intrusive scan that allows us to deliver a comprehensive report of the state of your system and its vulnerabilities that is yours to keep. There are no strings attached, and you are under no obligation to ever use our Managed IT Services.
The two best defenses are next-generation Cybersecurity to protect your data from theft, and a top-notch Managed Services Provider to ensure continued reliability and defenses against newly emerging threats.
We put our 100% Money Back Guarantee in writing, so there is no risk in trying us out. Because we do not require a ‘hard’ contract, our clients can fire us at any time with 30 days’ notice. We have to be good.
Among the Managed IT Services we provide:
IT HelpDesk Service
Onsite IT Support
Cybersecurity
Cloud migration and management
Email migration services
Backup and disaster recovery
VoIP phone systems
IT disposition and recycling
Office moves
White label services (IT to IT)
Planning an Office Move?
Contact us today! We have the experience to ensure a seamless transition. After the move, your employees will arrive at the new location to find their IT infrastructure ready and open for business!
For more information on office moves, or to receive your FREE no-risk network and security assessment, just fill out the form on this page or call us at:
704-565-9705
