Library
Home
A A A
Share »
Follow us on Facebook Follow us on Twitter Follow us on LinkedIn
Connect »

Blog: Crisis Management

Menu

  • This Blog's Home
  • Guest Writer Submissions
  • Policies
  • To Subscribe to a Blog
  • About
  • Feedback

Social Engineering – You Are the Weakest Link

By erik on November 7, 2013

The most vulnerable point of access to your data isn’t a computer, but a human being

Cyber security has been a hot topic as of late, but few are discussing the fact that humans are actually the weakest link in the information security chain.

While hackers do employ some seriously powerful tools, it’s often just as easy to trick their targets into revealing too much information, or even unknowingly installing malware on their own systems.

For those of you new to the term, here are a few examples of social engineering tactics being used on the web today, from Consice-Courses information security expert Henry Dalziel:

1. Social Networks

Having your Facebook account hacked can easily result in having a friend (who is a genuine friend of yours) asking for cash because their “wallet was stolen” whilst they were travelling. Clearly, receiving an email from a friend is exactly that: from a friend, so the barrier of trust is completely open.

2. “Someone has a secret crush on you! Download this app and find out who it is!”

This social engineering attack also comes from social networks like Facebook. Facebook applications are for the most part free from any malware of bad intent, but some still contain nefarious objectives. The wording of the app is all too important and needs to touch some fundamental human emotional buttons, because, as the title of this entry states, who wouldn’t want to know who had a “secret crush on you!”

The “I love you” computer worm that attacked millions of Windows personal computers May 5th 2000 started spreading as an email message with the subject line “ILOVEYOU” and the attachment “LOVE-LETTER-FOR-YOU.txt.vbs”. The success of this download was due to the wording.

3. “Click this link!”

On the same subject of effective copy to entice a social engineering attack, social engineers title an email to solicit an action – i.e. getting the user to “click here”. Again, the attacker’s ideal set-up is to have gained access to a user’s social account or email account. The inherent trust that you will have to open and click on a link from someone you know is second nature. Visiting an infected site or page from an email can install malware on your machine, either by a Java drive-by or another means. Another good example is Twitter spam that we often receive which contains the subject “Did you see this video of you?” again it’s a play on words. See the 2nd “secret crush” scam and you’ll see how being able to connect on an emotional level will ensure a pretty decent success rate for the hackers.

4. Fake office IT Support

This is a pretty varied but very popular social engineering attack whereby someone pretends to be an IT Support Technician and offer to fix a “broken computer” or an “infected machine” that contains viruses and malware. All you need is confidence and authority in your voice and choice of words. Again, refer to back to our Hacker Hotshots event with Chris Silvers and listen to some of the calls that he and his team made to solicit passwords and other sensitive information. In some extremes examples the attacker will actually enter the business and pose as an IT Technician. We learned about a technique called “tailgating” when we compiled our Concise Courses ComPTIA Security+ Information Pack – which is actually a unit within section 3.0 Threats and Vulnerabilities of the syllabus. As the terms suggests, tailgating is when the attacker attempting access to a building will purposely wait near an office lobby waiting for real employees to enter the building with their genuine ID cards – as they open the door they politely hold the door open for the attacker. Appearance is vital for this to work. Being dressed like an IT Technician would for that particular organization will certainly greatly assist this particular social engineered scam.

5. Phishing lures

Receiving an email that claims that you have not paid for an item on eBay can very often solicit an action from an unsuspecting victim. You might think that that is a ridiculous scam that will not affect anyone, but as long as the attackers are sending out millions of messages like that – their success rate can be low but yet profitable. Like several other social engineering attacks listed in this post, the eBay Phising Lure Scam also works on a human emotion. EBay users are very aware of the impact of receiving negative reviews, therefore any message that arrives in their inbox from someone who seems to be from eBay often will result in an action being taken. When the user falls for this attack they can be send to a spoofed eBay page that looks just like the real login page with the user’s login information being captured and then used against them to withdraw funds etc. Withdrawing funds from eBay is often possible owing to the fact that many users login information for their eBay and PayPal accounts will be the same. One solution with this particular scam is to manually open up a browser and hit your account yourself – is there a message in your eBay inbox? If yes then it is genuine. If not, then ignore your other message.

6. “You have been dismissed” or “Help victims of ‘fill in the blank’ natural disaster”

Social engineering tactics are becoming increasingly specific. Sending out blanket emails to hundreds of employees saying that regrettably their position at the organization has been terminated and that they must download a certain form etc can have a decent success rate. Why? Because perhaps there was a rumour circulating that redundancies were inevitable owing to the financial crisis. Timing is everything with this scam.

Unfortunately, every time there is a natural disaster there is an associated social engineered attack. Again, as is consistent throughout this blog post, the natural disaster scam along with the redundancy email is associated to human emotion for curiosity.

7.Hijacked Twitter hashtags

Social engineers just need to look at what is trending on Twitter to fabricate or hijack a hashtag that has an embedded link to a malware site or Java Drive-by.

With studies showing that under 1/4 of all organizations do any type of social engineering training at all, most targets are an easy slam-dunk for a skilled manipulator. Mark these words – as we base more and more of our operations around a digital model, preventing social engineering attacks from being successful WILL gain traction as a must-have component to any crisis management plan.

——————————-
For more resources, see the Free Management Library topic: Crisis Management
——————————-

[Erik Bernstein is Social Media Manager for Bernstein Crisis Management, Inc. and editor of Crisis Manager]

« Previous Next »

Search Our Site

Meet this Blog’s Co-Hosts

Jonathan L. Bernstein, president of Bernstein Crisis Management, Inc. has more than 25 years of experience in all aspects of crisis management – crisis response, vulnerability assessment, planning, training and simulations.[Read more ...]


Erik Bernstein is vice president of Bernstein Crisis Management. Erik started with BCM in 2009 as a writer and subsequently became social media manager for the consultancy itself as well as for a number of BCM clients before moving to the VP position. [Read more ...]

Recent Blog Posts

  • Top 3 Things To Do When a Crisis Breaks
  • Crying Wolf – When a Crisis Really Isn’t
  • 10 Trends for Search Engine Optimization in 2019
  • Expert Advice on Public Speaking and Media Interviews
  • Are You Doing What You Can To Boost Safety?
  • The Do’s and Don’ts of Social Media Crisis Management
  • PR and Litigation: Responding to Activism
  • Beware Loose Cannons On Your Deck
  • Common Causes of Data Leaks and Breaches
  • The Psychology Behind Social Media Addiction

Categories of Posts

  • Avoid the Apology
  • college crises
  • communications
  • conflict resolution
  • Crisis Assessment
  • Crisis Avoidance
  • crisis communications
  • crisis management
  • Crisis Management Quotables
  • crisis planning
  • crisis preparedness
  • Crisis Prevention
  • crisis public relations
  • Crisis Response
  • crisis training
  • customer service
  • cyber attacks
  • cyber bullying
  • cybersecurity
  • data breach
  • Dealing With Media
  • Digital Media Law Project
  • disaster crisis management
  • disaster prevention
  • Disaster Response
  • disease crisis management
  • emergency management
  • Erik Bernstein
  • ethics
  • Facebook
  • food industry crisis management
  • hackers
  • hacking
  • Higher Education
  • hospitality
  • HR
  • information security
  • Internal Communications
  • internet crisis management
  • internet security
  • Jonathan Bernstein
  • Journalistic ethics
  • Law
  • Litigation PR
  • litigation-related crisis management
  • Media Relations
  • media training
  • online crisis management
  • Online Reputation Management
  • political crisis management
  • PR
  • preventable crises
  • privacy breach
  • privacy violation
  • Public Relations
  • recall crisis management
  • Reputation Management
  • Risk Management
  • SEO
  • social media
  • social media crisis management
  • social media policy
  • social media reputation management
  • sports crisis management
  • violence prevention
  • vulnerability audit
  • Weiner Awards
  • workplace violence

Blogroll

  • Bernstein Crisis Management Blog
  • Jonathan Bernstein's HuffPost Blog
  • The Crisis Show

Related Library Topics

  • Assessments
  • Business Insurance
  • Computer Security
  • Coordinating Activities
  • Crisis Management
  • Employment Laws
  • Ethical Analysis
  • Lawyers (Using)
  • Managing Change
  • Marketing
  • Media Relations
  • Organizational Communications
  • Planning
  • Public Relations
  • Risk Management
  • Safety in Workplace
  • Bernstein Crisis Management Blog

Library's Blogs

  • Boards of Directors
  • Building a Business
  • Business Communications
  • Business Ethics, Culture and Performance
  • Business Planning
  • Career Management
  • Coaching and Action Learning
  • Consulting and Organizational Development
  • Crisis Management
  • Customer Service
  • Facilitation
  • Free Management Library Blogs
  • Fundraising for Nonprofits
  • Human Resources
  • Leadership
  • Marketing and Social Media
  • Nonprofit Capacity Building
  • Project Management
  • Quality Management
  • Social Enterprise
  • Spirituality
  • Strategic Planning
  • Supervision
  • Team Building and Performance
  • Training and Development

Free Management Library, © Copyright Authenticity Consulting, LLC; All rights reserved
Wordpress supported by Caitlin Cahill

Provided by

Authenticity Consulting, LLC
  • Contact Info
  • Legal
  • Privacy