Can humans be hacked?
Yes, but probably not in the way you think.
Security tools and technology have gotten so good at protecting us that cyber criminals have to resort to other methods – targeting the people behind the screens and information.
We can install software that identifies and stops viruses, we can encrypt data to protect it, we can set up alerts to flag unusual activity, but very often, it’s the people themselves that hand over the information cyber criminals need to get into our systems.
How? You ask. Cyber criminals trick us, manipulate us, in other words… They hack us.
What is social engineering?
Most social engineering attacks rely on actual communication between attackers and victims. The attacker tends to motivate the user into compromising themselves, rather than using brute force methods to breach your data.
Through the use of social engineering tactics, cyber criminals aim to get access to our information in order to cause disruption or to steal that information in exchange for money.
Social engineering has been around a lot longer than you think and it’s not exclusively an online threat. Actually, social engineering comes in many forms.
What does social engineering look like?
In the most basic form, social engineering is a way for criminals to manipulate another person into doing something for them. Here are some examples:
- You’re walking into your office and a delivery person with a big, heavy box is walking behind you. You hold the door open because you want to help without realising you’ve just let a thief through the door.
- You get a call from your bank claiming someone’s gotten into your account and you need to move your funds to another ‘secure’ account before the ‘criminal’ steals all your money.
- You receive a message on social media from a friendly stranger who liked your latest post. The conversation turns into friendship or a romantic relationship and suddenly this person urgently needs your help.
- You get an email from a big retailer offering you a great deal! All you have to do is go to their website and fill out a form to enter to win… or is it their website?
Nearly all cyber attacks include some form of social engineering Rather than hack into your systems to steal your money or information, cyber criminals have figured out a way to get you to willingly give it to them.
Phishing, pretexting, smishing, baiting and tailgating are all forms of social engineering techniques commonly used in cyber attacks.
How to recognise a social engineering attack and what to do next
These attacks can be difficult to spot, but there are some things we can look out for:
- You receive an unexpected call, email or message and it elicits a strong emotional reaction – fear, excitement, anger
- You’ll usually be asked to take action urgently
- It doesn’t follow the usual procedures – for example, you might get an unusual request from a ‘colleague’.
If you suspect an attack, you should:
- Be cautious before clicking on any links or downloading any attachments.
- Check the source: Take a moment to think about where the communication is coming from; don’t trust it blindly. If it’s someone you know, or an organisation you trust (like your bank), try to contact them directly, by calling their verified phone number, for example.
- Take a moment to think before you act.
- Remain calm: Because social engineering often plays on fears to induce quick action, one of the best ways to protect yourself is to remain calm when you receive a supposedly urgent or dire request.
- Inform your IT department.
How to help your team
Staying on top of all the latest threats is not easy and employees need to be supported so they can do their jobs securely. You shouldn’t simply expect staff to understand security awareness, you need to make it easy for them.
Here are some steps that could help:
- Test the technical defences that you have in place: you need to check that things work as you want them to and if they don’t work, fix them.
- Identify what the biggest risks are and what you need to prioritise.
- Meet employees where they are and have a 2-way communication.
- Know your people better than the bad guys: look for breaks in patterns and offer support. Let people work the way they want to work and make it easy for employees to be secure.
According to Cisco, it’s also important to have clear security policies in place to help employees make the right decisions. Some examples include: having clear procedures around password management, using multi-factor authentication and implementing email security defences.
If you’re not sure about how to implement the steps above, book a free IT assessment to learn how we can help you secure your business.