Every few months, a new hacking vulnerability gives internet users something to fret about. For an example, look back to the Wi-Fi WPA2 KRACK attack last month or the WannaCry Ransomware attacks several months prior. It seems like our devices are a collection of unprotected vulnerabilities, with information simply waiting for someone to exploit. But how true is this?
Take the recent WPA2 vulnerability as an example. Encrypting your traffic through a VPN alone would have protected you from the KRACK attack (which nullifies Wi-Fi in-built protection). In other words, as long as you follow digital best practices (installing a VPN and malware protection), your devices would be safe most of the time. Unfortunately, as Guernsey Press reported at the beginning of the year,individuals within corporations continue to be responsible for the greatest damages. If major financial institutions like Barclays or Deloitte cannot defend themselves from people-targeted hacking, what can you, as a consumer, do?
How Are People Being Hacked?
Phishing is perhaps the most popular method of social engineering. It refers to the fraudulent theft of personal information by posing as a genuine entity. Phishing can be done over various channels, but it is often done via email and text. A basic phishing email would prompt you to click on a link which then takes you to the landing page of a website. In reality, the landing page would be fake but the design will resemble that of a genuine website. You would then be required to access the website by entering your information, such as login credentials. Some phishing scams may go a step further and have you access your financial information as well.
Email spoofing refers to situations where the sender’s email address is forged to look like it came from another source.For example, a scammer can use email spoofing to create a message that looks like it came from your bank, asking you to take some action. As you may expect, email spoofing is often used to carry out sophisticated phishing and spam attacks.
Downloading Disguised Malware
This is yet another technique used in social engineering. In some systems with high levels of security, it may be infeasible to hack in remotely. In such cases, a direct entry from the system is required to provide the hacker with access. To gain direct entry, therefore, the hacker disguises malware and posts it online for people to download. The malware can be distributed through email links and files, free software, and a number of other avenues. An unsuspecting individual then downloads the malware and unknowingly gives access to the hackers.
Tailgating involves the hacker gaining physical entry into a building. If the system is highly secure, as in the case of air-gapped networks, the hacker needs to go directly to the system and gain physical access to install the malware or bypass the system security. Tailgating can occur when the hacker waits for an employee to open a secure door, then follows the employee into the building without having to show any credentials. This usually works where the security is lax, and primarily where employee identification is not rigorously checked. Bold hackers might even interact with unsuspecting employees to make the ruse more believable.
Re-using Stolen Passwords
This is where the hackers gain access to your password and tries it on a different account. While this is usually a large gamble, the payoffs can be devastating. This is because most people often use the same password, albeit slightly altered, across all their accounts. If a hacker has access your YouTube password, they’ll be able to see the videos you view and share. But if you use that same password for your online bank account, you will effectively have given the hacker access to your savings and investments as well. Phishing and physical theft are common ways for hackers to steal your password..
What Are The Potential consequences?
Theft And Misuse Of Sensitive Information
The usual target for hackers is sensitive information. Such information includes login credentials, financial information, identification information, corporate secrets, etc. The fallout is usually devastating depending on how the information is used. For instance, it could range from identity theft and theft to the production of knock-off products costing a company billions in revenue.
Discord And Mistrust
Discord and mistrust are bound to arise as consequences of social engineering, whether personally or in an organizational setting. Hacking is usually the last thing that people consider in such scenarios. For instance, if you woke up to an empty account you might consider those close to you of foul play. In an organization, if you found out that the competition was developing a product similar to yours, your would likely suspect betrayal by an employee. In the end, hacking by social engineering creates a lot of bad blood between people.
In an organizational setting, before and after the situation is resolved, some people are bound to lose their jobs. For instance, before hacking is considered, the potential culprits for a high-level system intrusion are at risk of losing their jobs. After a thorough investigation, the source of the intrusion (if internal) would almost certainly be look for new work soon even if they weren’t personally responsible.
How To Prevent People-Targeted Hacking
Double-check Any Communications You Receive
You should always read through any email or text you receive at least twice. If the email prompts you to visit a link or requests to access your personal information, you should make sure to get verbal confirmation from the source. By source, you shouldn’t immediately assume the contact listed in the communication. For instance, you should have your bank’s contact information saved and if not, you should get a contact from previous validated emails or via a web search. The operating principle for most financial institutions is that they don’t ask for sensitive information, especially not through emails.
Employ Two-Factor Authentication
Two-factor authentication is a login protocol that requires two different login credentials to access an account. The first is a set login, such as a username and password and the second is usually a time-sensitive password or code sent to a separate device. This way, even if your first set of credentials is stolen, you still have adequate security on your account. More importantly, you get an early warning system that brings the hack to your attention allowing you to act fast and accordingly.
Tighten Your Organization’s Security
Organizations should check the credentials of any employee for both entry and exit into the building. More so, cybersecurity should be at the top of the organization’s concerns. For instance, sensitive information should be stored on separate offline data servers and require the login of at least two executives to access. That way, even if employees are hacked, all the information remains secure. Note that implementing tougher cybersecurity measures increases the necessity for social engineering and people-targeted hacking. The organization should, therefore, ensure that the employees are well informed on what to expect.
Check The Authenticity And Security Of Sites You Visit
The first indication that a website is fake and unsecure is found in the URL. If there are spelling errors or a change of domain, that automatically rules out the authenticity of that site. Secure sites have HTTPS instead of HTTP in the URL, an indication of SSL encryption.
Avoid Suspicious Downloads
If you have to download something, make sure that it is from a trustworthy source. If you receive a link prompting you to download something, you should not only ignore it but delete it unless you know the identity of the sender. When it comes to software, you should avoid free software, unless you are sure that it is directly from the developer or a reputable vendor. Freeware is one of the most common methods of spreading malware that’s used by hackers.
Invest In A Password Manager
Password managers provide an effective solution to all your password vulnerabilities. The password manager eliminates the need for you to remember all your passwords and by extension, the need to use one password across all accounts. More so, you avoid keeping an offline record of your passwords, which can easily be stolen. The password manager also runs an audit to evaluate the strength of your password and provides useful suggestions for improving it. Premium password managers allow the use of two-factor authentication and provide encrypted vaults for other sensitive files.
Conduct Extensive Research Into Social Engineering
While this article touches on a number of areas, it only covers a few of the many ways that people get hacked. To effectively protect yourself, you should be aware of all the tactics that are used and how to avoid them. Keep in mind that they often evolve as time goes by – you should keep your information updated to identify your vulnerabilities and reduce any risks.
When it comes to protecting yourself against social engineering, it pays to be a healthy skeptic. Don’t take anything at face value and make sure that you are familiar with how to protect yourself from hacking.
If you are interested in even more hacking-related articles and information from us here at Bit Rebels then we have a lot to choose from.