Friday, February 12, 2016

Watch out for social engineering

I am continuing my series of posts on security topics of primary interest to businesses, as I mentioned in my first post on this blog. In this post, I focus on making sure you watch out for one of the most serious security threats facing businesses.

The news seems to mention a new data breach or a set of compromised identities affecting businesses almost on a monthly or weekly basis. We all know we should pick good passwords, make sure we use secure websites for transactions (i.e. see my article on HTTPS), and other important security guidelines. But, one of the main reasons for the data breaches happening is because of an initial social engineering attack.

What's Wrong With Being Social?

The term social engineering refers to the technique of getting around security systems, not by breaking through or exploiting vulnerabilities in a system, but instead by exploiting the vulnerabilities in humans using the systems. Generally, humans trust other humans.  And attackers will use that trust in order to circumvent our boundaries.

There are plenty of examples of social engineering. The most common is when you receive an email that seems legitimate but it is isn't. For example, the email says it is from your bank (something you trust) and there seems to be a problem with your account. The email wants you to click on the link in the email to login into your account, provide your username and password, and help resolve this issue. The link is usually a link to an attacker website that looks like the legitimate website. It is waiting for you to enter your username and password, and now the attacker has your bank information, in this case.

Another example is the phone scam when someone calls you to say you have a problem with your company and they are calling to help. We like when people are friendly and willing to help, and many will automatically trust this scam. The attackers want you to give them access to your computer so they can install some software on it to "fix it". Unfortunately, what is happening is they may be installing malware on your computer which is compromising your system, or worse stealing your username and password entered at sensitive sites like bank websites, etc.

What Can I Do?

There are several things you can do to protect yourself:

1. Always check the email address to make sure it is legitimate. Even then, check the contents of the email, because many emails will use a generic form of salutation rather that address you by name. And by the way, even legitimate looking emails (say from a friend) may not be legitimate because attackers will also send emails that look like they are from our friends.

2. Don't click on links in the email. Instead, go to the website directly and enter the URL by hand. Be careful of hovering over the link because some emails have scripts in them that even hovering over the link could cause the link to execute.

3. Don't open any email attachments you receive from someone unless it was agreed upon ahead of time. By opening the document, you could be installing malware on your computer.

4. If you get one of these scam calls from someone who wants to fix your computer, ask them who they represent and say you will call the company directly to verify. Or, better yet, hang up. You should be in charge of fixing your computer and taking it to someone reputable, not someone who cold calls you.

5. Be careful of people wanting you to copy or print a file from a USB drive. Don't ever put a USB drive in your computer you don't know its origin. These USB drives could have malware on them. This is another form of social engineering. Many companies have been compromised by an employee picking up a USB drive in the parking lot and putting it in their work computer "just to see what's on it".

These are a few recommendations to keep you safe, but the best advice I think is from the Russian Proverb "trust, but verify". Be very careful and make sure your business staff are also watching out for the above issues.

About Robert Hurlbut

Robert Hurlbut, owner of Robert Hurlbut Consulting Services, based in Enfield, CT, provides software security consulting, architecture, and training. This includes software development, threat modeling, secure code reviews, and other kinds of security audits for your company. If Robert can be of assistance to your company, please get in touch through the below contacts.

Twitter: @RobertHurlbut


  1. Thanks for the good information Bob.

  2. All good info~~my personal fave is the person picking up the USB drive in the parking lot. How very human!