Since so many of us like to dress up on Halloween and pretend to be something scary or something we’re not, I thought it would be fun to reflect on the kinds of hacks that are scary, like to dress up in costumes and pretend they are something that they are not.
Robert S. Mueller III, Director, Federal Bureau of Investigation, famously said, “I am convinced that there are only two types of companies: those that have been hacked and those that will be. And even they are converging into one category: companies that have been hacked and will be hacked again.”
The Question Is, How?
How will you be hacked? Will it be (1) a technical hack using sophisticated decryption tools and super cyber weapons, or (2) a socially engineered hack in which you unwittingly bend to a hacker’s wishes? Considering what most people do for a living and where most people work, I’m going with number two.
Recently, CIA Director John Brennan was the victim of a socially engineered hack. A self-described “kid” manipulated a few flaws in a few companies’ security protocols (not systems) and was able to change the Director’s AOL email password and seize control of his account. Director Brennan said, “What it does is to underscore just how vulnerable people are to those who want to cause harm and the social engineering that goes on and the manipulation of the system allows individuals to carry out criminal activities against US citizens.”
After you get past the idea that the Director of the CIA has an active AOL email account (was his screen name firstname.lastname@example.org?), you realize that everyone, including you and me, is vulnerable.
Here’s a quick list of popular social engineering hacking techniques and what you can do to protect yourself against them.
Hack #1 — General Social Engineering – If you are checking out on an obscure website and the site asks you to “confirm” the last four digits of your social security number, you’re about to be hacked. No commerce site needs your social security number, not even the last four digits. The request will look innocuous, you’ll be busy purchasing two tickets to see the new Star Wars movie in IMAX 3D, and you’ll be one step closer to having your credit card spoofed or worse. Countermeasures — Don’t give up more information than is absolutely necessary.
Hack #2 — Phishing – the act of defrauding an online account holder of financial information by posing as a legitimate company. Got an email from Amazan.com? Yeah, that’s not Amazon. Look closely. Thanksgiving Day is one of the heaviest phishing days of the year, because fewer people who are paid to protect you from phishing attacks are working. But you might be incentivized by World Series tickets or football tickets or anything that reaches the status of “cultural phenomenon.”
There’s a reason Gmail sent that email to your Spam or Promotions folder. Leave it there. If you didn’t ask for it, don’t click on it! There’s no reason to give out your financial info because a scammer decided to send you a halfway decent-looking email. Countermeasures — Carefully, carefully, carefully check who emails are from. If you’re not sure about a sender, it’s best to avoid that email and deal.
Hack #3 — “Scammer Grammar” and General Scamming Behavior – If a website features many misspellings and grammatical errors, be wary. No company that genuinely wants your business will rush to put up a listing that looks like it was typed by a third grader. In fact, the typos are there on purpose. If you miss them, you’re probably just stupid enough to fill in the rest of the form or click something you shouldn’t. Typos are a gigantic red flag – heed the warning.
Beware of sites that require payment via wire transfer, or that require you to act immediately to secure the product. Consumer Affairs says, “Beware of ‘act now’ offers that tell you the seller is a soldier needing cash for possessions before deploying to a war zone or a recent divorcee wanting to unload her former husband’s belongings. These tactics are often bait to empty your wallet. Most of the time the items don’t even exist.”
Another big scam is the auction follow-up email hack. If you miss out on an auction or timed deal, ignore follow-up emails with the same offer. Scammers love to track auction sites and contact losing bidders to direct them away from secure buying environments. If you lose an item, move on to another auction. Countermeasures — Don’t shop on sites that look like they were designed by practitioners of phonetic writing or sites that would have looked awesome in 2004.
Hack #4 — Fake Ads – Inauthentic ads re-direct you to places you shouldn’t be, or may install malware or unwanted software on your computer.
Everyone’s looking for the best deals, so cyber criminals love to release fake ads that trick you into visiting sites you otherwise wouldn’t visit. If you want to find great deals, go directly to reputable websites, whether they’re vendors (Best Buy, Amazon, Walmart) or trusted third-party aggregators.
To protect yourself against phony ads, don’t change up your browsing habits. Go directly to websites instead of through Google. Walmart isn’t selling a 60” HDTV for $97. If by some miracle that’s a real sale, you’d better believe it’s going to be front and center on Walmart.com. Countermeasures — Don’t search for phrases like “best Black Friday deals.” Don’t shop on websites you’ve never heard of.
Hack #5 — Site Swap – Ambitious scammers build entire fake sites that look shockingly similar to popular retailers. This is a more complicated hack, and sometimes the most convincing – so pay attention. You will almost always get to a fake site through a search engine or a mistyped URL. But sometimes fake sites are used in combination with email hacks. The most sophisticated versions are single pages that actually link to the real sites so the information request looks more legitimate.
If you’re not sure about a link, there are a few great resources at your disposal. Sites like Where Does This Link Go will show you exactly where a suspicious short link goes. Still not sure? It’s probably fake. Move on. The chance of landing a great deal is not worth credit card fraud or a credit score hit. Countermeasures — Go directly to retailers’ sites, rather than through search engines. Don’t click on links from any email you can’t verify.
Sufficiently armed with countermeasures? I hope so. Social engineering is probably the biggest cyber security threat and also the hardest to stop. We’re all just people, and we use the Internet. Unfortunately, so do the bad guys.