Inside the Hacker’s Mind – Social Engineering
Inside the Hacker’s Mind – Social Engineering
Dr Jack Wadey
What is it?
Social engineering is a method employed by bad actors or “hackers” to manipulate or deceive individuals to share personal or confidential information. A social engineering attack does not necessarily have to include computers. Have you ever held a door open into the office for someone you did not recognise, or allow access to someone in a high-visibility vest? Bad actors can take advantage of these vulnerabilities to gain physical access to private or restricted areas. They are taking advantage of human nature and our conditioned behaviours; being polite, friendly and helpful.
What is the easiest way to gain access to someone else’s home? Short of them leaving the door unlocked, the easiest way would be to obtain the key. The same holds true for a network or online account. If bad actors can ‘trick’ you into giving them your login information, then the computer systems believe that they are you. This is why phishing attacks, the most common form of social engineering attacks, are so prevalent. Bad actors send out thousands of phishing emails and there is a high chance that at least one person will click the link, giving them access to potentially confidential data.
Once bad actors have access to an account, they can create backdoors (methods to allow access bypassing the normal security), monitor emails and other network traffic, or download malware onto the system. Most invoice redirect or payment diversion frauds happen this way. Bad actors gain access to an email account and monitor emails sent and received. If you receive a legitimate invoice, bad actors may send an email advising you that the bank account details have changed purporting to be from the same sender.
Novel Coronavirus or COVID-19 Concerns
As COVID-19 is spreading over the world, more and more people are working from home and remotely logging in to their work environments. Bad actors use uncertainty and fear to prey upon people and take advantage of new systems and processes. Again, this is just another form of social engineering.
The National Cyber Security Centre (“NCSC”), a part of GCHQ, issued advice on 16 March 2020, which informed individuals that malicious websites might use COVID-19 to attract and encourage potential victims to click on malicious links [1].
There are a number of social engineering attacks relating to COVID-19 that have already been reported. Action Fraud has indicated that victims have lost over £800,000 due to attacks mentioning Coronavirus or COVID-19 since February 2020 [2].
How can we protect ourselves?
One key defence is multi-factor authentication. Multi-factor authentication requires a user to have two or more different methods to gain access to an account. Most methods follow the ‘something you know, something you have’ process. For example, this could be a password (something you know) and a text message sent to your mobile device (something you have). If you enable multi-factor authentication, then even if bad actors discover the password, they would still have to take additional measures to obtain the passcode sent via text.
Another way to protect yourself is to never reuse passwords across multiple accounts and devices. A common method of attack is for bad actors to obtain previously compromised account details and try the same details for different websites and accounts.
Finally, if all the protective measures fail, Cyber insurance is available to assist with the remedial efforts. Most Cyber insurance policies offer an incident response service, where expert IT forensics firms, law firms and other support providers are available to investigate the incident, secure your systems and ensure any necessary regulatory obligations are met.
Dr. Jack Wadley is a cyber claims specialist at Canopius insurance company.
[1] https://www.ncsc.gov.uk/news/cyber-experts-step-criminals-exploit-coronavirus
[2] https://www.actionfraud.police.uk/alert/coronavirus-scam-costs-victims-over-800k-in-one-month