Posted in on

Social Engineering Attack Methods

by Greg Wilson

Head of Information Security, 1st Global

While computer system breaches are often done through means of technology, there are certain methods hackers can use to gather information through other forms of manipulation — especially social engineering.

Social engineering is another way for hackers to take advantage of unsuspecting individuals. However, this method is less technical and, instead, uses human interactions and fooling others in order to gain access to valuable information that can help these hackers break into various systems. Social engineering attacks can occur in a number of ways, including the following:

Phone calls Always be leery of someone calling you to inform you about a security breach. In fact, it’s highly unlikely that anyone will call you to inform you that you’ve been breached. This should be a red flag that you should not give any information to that individual, and do not execute any commands he or she asks you to perform, especially if the command ends in “.exe.” If someone calls you about a breach, hang up the phone, and do not speak with that individual. If he or she claims to be calling from a business with which you have a relationship, hang up the phone, and call the business back from the number on your statement so that you know exactly with whom you’re speaking. And always be careful when having conversations with vendors over the phone because sometimes hackers will call pretending to be vendors and request information from you. There have been instances of law enforcement identifying that a company’s data has been found on the “dark web,” but always confirm its legitimacy before disclosing any sensitive information.

Desk hovering Many people often have conversations around other people’s desks, especially in more open office spaces. Be careful about the information you share with others when people are standing near your desk. Take special caution if you notice anyone hovering in the area surrounding your desk or cubicle. This is often a tactic used by social engineering experts to gather information when they are in earshot of conversations they aren’t necessarily part of. This is also an opportunity for shoulder surfing, which allows someone to take note of codes, passwords or other secure information simply by looking over another person’s shoulder. Be sure to shield your keyboard or any paperwork on your desk from view if you notice anyone lingering near your workspace.

Visitors — When people visit your office, there should be a specific protocol on security to ensure the validity of their purposes for being there. All employees should be required to have ID badges with their pictures on them, and it is recommended that there are distinctive visitors’ badges for individuals who are not on staff. All visitors should also be escorted to the people or departments they are visiting in order to ensure they are not wandering or gathering information from places they should not be.

Following — Along with visitors, be cautious about allowing others whom you don’t know to follow closely behind you, particularly when entering into secured areas. While we often hold doors for people or allow them to come in right behind us without the use of their badges when going into secure buildings, it’s not always a safe practice because it allows unauthorized individuals to have access to places and information they should not.

Baiting — Sometimes hackers will leave malware-infected devices (e.g., USB flash drives) where they know these devices will be found. When someone finds it and puts it in his or her computer without much of a second thought, the malware is then installed into the computer, allowing the attacker to install malware on that workstation that could be used to gather the valuable information desired.

Using available information — It’s important to be careful about what information you divulge and where you do so. Social media allows people to be open books and often give away too much information without thinking about it much. For instance, though many women like to put their maiden names on their Facebook pages so that they can catch up with friends from their pasts, this is not always a safe idea, especially if your maiden name is the answer to one of your security challenge questions. This can provide hackers with too much information, allowing them to breach your system and steal what they’re looking for. Additionally, some online job descriptions on company sites or job postings sites get too specific and provide hackers with information regarding what systems these businesses use, which once again gives those attackers open doors to breaching opportunities. If it’s online, anyone can see it, so always be cautious of what you post before you post it.

While we may never be completely free of others trying to access our information, there are certainly measures we can take to protect ourselves and that you can use in your firm and as advice to your clients.

 

  • Don’t send anything sensitive or confidential in an unsecured manner.
  • Don’t use a generic mailbox to send sensitive documents — send these to a secured location where the documents must be picked up by the recipient.
  • Don’t use the same password for your work or sensitive transactions and for common transactions, such as on social media.
  • Avoid conducting business transactions on the same computer your family members use for Web surfing or general purposes.
  • Have procedures in place to let your clients know that when certain transactions (e.g., moving money, trades, etc.) are taking place, they will need to verbally verify that they made the request.
  • Keep your company’s shred bin locked, and use the cross-cut shredding method rather than the strip-cut method.

Social engineering is currently a great threat to organizations everywhere, so the more security measures you and your firm take to combat this issue, the more likely you are to avoid your system being breached.

 

Greg Wilson is head of information security at 1st Global. Greg works to ensure 1st Global affiliate advisors, staff and systems are abiding by and adopting best practices in order to keep information secure.

Want to read more from 1st Global? Follow us on Twitter @1stGlobal or on LinkedIn. You can also watch videos on the company’s YouTube Channel.

1st Global Capital Corp. is a member of FINRA and SIPC and is headquartered at 12750 Merit Drive, Suite 1200 in Dallas, Texas 75251; 214-294-5000. Additional information about 1st Global is available via the Internet at www.1stGlobal.com.