Dispelling some Myths about Hackers and Social Engineering
There is a large cohort of users who believe that hackers are just like the person in the above picture. A lone-wolf who hacks for fun, for a cause and sometimes for profit. While this type of hacker does exist, they are in the minority. Most hacking is now executed on an industrial scale by cyber-criminals who use business processes not too different from legitimate businesses. There is a large cohort of users who believe that hackers are just like the person in the above picture. A lone-wolf who hacks for fun, for a cause and sometimes for profit. While this type of hacker does exist, they are in the minority. Most hacking is now executed on an industrial scale by cyber-criminals who use business processes not too different from legitimate businesses.
“Social engineering only happens in the movies.”
Many people perceive the social engineer as a slick-talking fraudster who persuades people into revealing passwords or giving them remote access to their computer over the phone. Yes, this does happen but most social engineering attacks are highly automated targeting websites, collaboration platforms, email, cloud services, SMS messages and social media. A user clicking on a malicious pop-up ad or accessing their VPN or Gmail account through a fake portal are all examples of social engineering. It happens every day and social engineering ploys are becoming more sophisticated. Just when users believe they have seen it all before, the social engineers have already upped their game with a more credible ploy.
“Our firewall will protect us.”
Firewalls don’t protect your organisation from social engineering. Social engineers get end-users to unknowingly run malicious executables themselves. Cases abound of high-profile organisations with highly sophisticated technical defences getting compromised by human error or social engineering attacks.
“No one would want to target us…”
Many executives believe that, due to the nature of their organisation’s work, “no one would want to target us”. But this can prove to be a dangerous assumption. As Robert Mueller, the former FBI director said, “There are two kinds of companies – those that have been hacked and those that don’t know that they have been hacked.” Whilst cybercriminals do go after specific industries, in recent years they have adopted “spray and pray” methodologies where they indiscriminately target unsuspecting organisations or businesses.
“Fake emails are easily spotted…”
Another common misconception is that fake emails (phishing emails) and other social engineering scams are easily spotted. The evidence, however, suggests otherwise. CEOs, politicians, journalists and even the most security conscious staff from organisations, such as Google and the Pentagon, have all been duped by authentic-looking phishing emails. Popular lures include URL links that purport to be from popular services, such as Outlook Web Access, Dropbox, DocuSign, Office 365, SharePoint and LinkedIn. The graphical style of popular websites and collaboration tools are emulated in exact detail. And just when users think that they can readily identify phishing attempts, even more sophisticated campaigns are deployed by hackers.