An email arrives, and you think it’s from your boss. Because it has your boss’s name on it, there's a huge psychological response, and you tend do what is requested. After a cordial exchange comes the real request, five magic words, “can you help me out.” Suddenly, you're transferring assets, never to be seen again.
Social engineering is getting people to do things they would ordinarily not do. It has replaced malicious software as hackers' weapon of choice. In addition to phishing emails, some hackers have taken to the phone, making calls to impersonate a colleague, usually one in the need of help.
Kathryn Sherman, a supervisory special agent with the FBI noted that social engineering is the easiest tool in a hacker’s arsenal. Most information for the spoof is available free, online. Less technical hackers are using their manipulative skills to get information that is used to defraud. Social engineering is used to initiate a third of all cyberattacks. This is up from nineteen percent five years ago.
At DefCon hackers made a sport of social engineering. Using nothing more than a telephone and their wit, they spoofed their way through the call centers of large corporations. I was there this year, it was a lot of fun!
Every attempt was successful to some extent. Chris Hadnagy, organizer of the DefCon social engineering event, said the purpose was not to cause havoc, but rather to illustrate social engineering in action and help expose weaknesses in cyber defense.
We went into the studio with Kevin Mitnick and one of the DefCon contest winners and taped a few top pretexting scenarios using the phone. Stay tuned!
Training to recognize and resist social engineering is gaining in importance and becoming the in many organizations: pass the phishing test and you get a bonus, fail and face…more training. Tailored, interactive, engaging and non-punitive training can help build a culture of security that will make an organization resistant to social engineering.
The Wall Street Journal has the story.
