5 Seemingly Innocent Social Engineering Hacks

The hackers of today are getting personal, thanks to the rise in social engineering hacking. This technique includes the “phishing” scams you see on the news, and it has the potential to lure even clever, web-savvy employees into a trap of revealing personal or company information. This is much more common than we think — according to Wired, up to 90% of hacks involve a user voluntarily offering information a hacker needs to gain unauthorized access.

One of the reasons social engineering hacking is so effective is because it doesn’t seem nefarious in the moment. Hackers know banks and companies have secure IT infrastructure — and that the weakest and easiest point of entry is often in the form of humans who can provide an accidental entryway.  The tactics adopted by social engineering hackers are simple yet brilliant, taking advantage of human behavior to ensnare even informed users.

1. Creating Fake Wi-Fi Networks
With more cities and public areas offering free Wi-Fi zones — not to mention our constant need to be connected to the internet — this is an easy catch. Hackers may set up a fake Wi-Fi access point that doesn’t require a password, and wait as people attempt to connect to the free internet. Once they’ve connected, they are vulnerable. This is a common technique regularly discussed on various hacker forums.

2. Downloading Malware
This hack happens when you think you’re downloading one thing, but in reality, you’re downloading another. This hack has been around as long as the internet has, and it relies on deception. It’s easy for employees to slip into autopilot and open an innocuous-looking attachment or download link that comes their way. Hackers can take advantage of this by sending malware disguised as an essential piece of workplace information. Employees should always be wary of what they’re downloading, and should avoid installing unknown applications from the web.

3. Phone Number Access
Cryptocurrency users are some of the latest users to be hit by a spate of cyberattacks. In these cases, hacks have not required cracking complex web infrastructure — in fact, it’s often as simple as gaining access to a single phone number. By coercing a customer service agent into providing that number, hackers can easily redirect calls and SMS messages to a phone of their own. From there, it’s easy to fool two-factor authentication measures — used by sites such as Google and Facebook — into believing that the hacker is you. Forbes outlines the cost of losing your telephone number, especially when you’ve got millions of dollars in irreversible currencies like bitcoin. The next time you hear about a hack accessing telecom information, you may want to pay more attention.

4. Masking One Cyber Attack With Another
Two-tiered attacks are becoming increasingly popular with hackers. This technique involves hackers creating a technical problem — disabling your company intranet, for example. Once that issue has been identified by an employee, a hacker will call or send an email pretending to be from the IT department, using his or her inside knowledge of the problem to gain legitimacy and trust. Employees eager to help may then hand over passwords or other sensitive information, which is used to carry out the real hack.

5. Confirming Partial Information
This form of “vishing” — hacks done over the telephone — tricks people into giving up partial password or bank information. By having victims offer just the first or last three characters of their mobile phone, bank card, password, etc., hackers fool people into thinking their information is still secure. In reality, this partial information can be enough to trick a bank into releasing private data, or can be the first step in a hacker calling back months later to extract yet another piece of partial information until they have pieced together an entire login or bank number. The release of partial information has huge implications — just look at the ongoing probe into the effect of partial American Social Security numbers being released in the months leading up to the 2016 election.

What Can Your Company Do
In today’s world of cybersecurity, the onus is on companies to educate their employees about the measures they must take to keep corporate information safe. Every employee should know to not give strangers the benefit of the doubt, and to flag any and all instances where someone asks for personal information. Data can help, too — deceitful hacks done over email make up 77% of social engineering hacks, meaning employees should be extra cautious of suspicious messages that land in their inbox.

Contracting the cybersecurity professionals at Sentek to create a risk management framework for your company is the first step in establishing a tough cybersecurity policy. Ultimately, the value of secure company data is worth more than any other price tag. Get in touch with us today to learn more about how we can help safeguard your company’s information.