The 90% Dilemma
Human error accounts for 90% of all business data breaches. In study after study, we find that firewalls and monitoring and encryption can only do so much. But 90% of data breaches are primarily caused by employees and sometimes customers getting phished, hacked, and fooled. Verizon’s 2017 Data Breach Investigation Report found this, and Willis Towers Watson consultancy found this by examining insurance claims. A study done by the Kasperky cybersecurity firm found the same result. Every time we study the issue of security breaches, human error and social hacking victims make up 90% of the incidents.
The Epidemic of Social Hacking
The social hacking ‘trend’ makes plenty of sense. Hackers have identified the open back door to the otherwise secure facility of our servers. Why would they try to crack your firewall or decode your encryption when they can simply have an employee unwittingly provide them total access? Hackers with malware to spread will fool employees into clicking malicious download links, giving them ‘insider software’ access. Some ‘hackers’ don’t even need computer skills if they can trick an employee into sending them a few sensitive documents by pretending to be an internal authority figure. A few just go straight for the money, with a goal of talking a money-handling employee into wire-transferring them a bundle of funds through elaborate deception.
Social hacking is an epidemic. Of all the data breaches in the news, and the thousands that never make it to the news, 90% are perpetrated by social hackers targeting employees. How do you stop social hacking? How do you protect your workforce from the many different tactics hackers will use to steal data or get their malware downloaded? It all starts with knowing how the game is played.
Know Your Social Hacking Channels
- Chat
- Phone
- Social Media
- Chat Apps
The first thing to acknowledge is that there is no one or two channels that hackers use. Social hacking involves reaching out to employees however they can be reached, including their personal phones and private emails if necessary. Any communication channel is suspect, especially channels provided by the company or that could somehow give hackers access to the company network or servers.
Email is the most common and well-known phishing route, but there are many others. Your company live chat support, for example, is very likely to field a few hackers and scammers who will try to convince chat agents to either share information or click a sent malicious link.
Your customer service phone lines should also be suspect, with employees trained to never communicate certain information, or to be bullied into clicking an email link over the phone. And social media is no safer. Hackers may even call employees on their personal cell numbers or even through communication apps that they use in an attempt to either fool them into sharing information or just to infect a mobile device that will later connect to your company wifi and network.
Now let’s take a look at the different tactics that hackers have used.
1. Phishing
Phishing is the most well-known type of social hacking and even non-tech professionals have at least heard of it. The term ‘phishing’ indeed can be applied to most of the types of social hacking and has been used to discuss the types before they were given their own names and definitions. In short, phishing is when a hacker contact someone with a lie meant to advantage the hacker and disadvantage the target.
Phishing can be after login information or personal information, it can be trying to get the target to click an infected link or download an infected file, or it may just be laying the groundwork for further social hacking. Urgency to respond is a common tactic.
Traditional phishing is sent as an email with some theoretically believable premise. Some pretend to be service emails from apps and websites. Some pretend to be people the target knows or should know. Phishing can be done with generic form letters or more personally targeted which is sometimes known as spear-phishing.
2. Pretexting
Pretexting is a more refined form of phishing in which the sender bothers to come up with a good pretext that the target will believe. This is type of phishing has been named fairly recently and addresses spear-phishing in particular. The pretext is a good reason, or made-up scenario, in which the target would be motivated to interact with the hacker and do what they ask.
Often, a hacker using pretexting will have researched the target through social media and professional listings. The hacker may pose as a coworker, a business partner or client, a family member, or staff from a service the target uses.
Most often, pretexting is focused more on gathering information or receiving a packet of information. They may claim, for example, to be a medical staffer at the target’s clinic who needs new records sent over. They may claim to be an outside IT team who needs admin passwords.
3. Vishing
Vishing is “voice phishing” or phishing over the phone. There are two primary forms of vishing. In one, hackers call people privately and try to get personal information over the phone by claiming to work for the target’s bank, medical office, insurance agency, HR department, etc. They then will ask for identity confirmation and personal details which, of course, they then steal for identity theft.
In the second form of vishing, hackers call the help lines for businesses in order to bully customer service agents into revealing private information (ex: Claiming to be a customer who needs their password) or forcing the agent to click a link sent by email.
4. Whaling
Whaling is pretext-phishing in which the hacker claims to be the boss or higher-level exec of the target. They use the weight of authority and the no-questions-asked business culture to trick targets into doing all sorts of things thinking that they are helping a superior in their employer power structure. In some rare cases, hackers may alternately pose as an important client or business partner instead.
Whaling can be used for many different things. In the guise of an exec, the hacker applies pressure, urgency, and implied threats to get targets to do anything from sending packets private information to wire-transferring money directly without checking with a superior first.
5. Baiting
Baiting is when a hacker lures a target with offers of discounts or opportunities. It is a more commercial-themed form of phishing that disguises itself as a promotional email. The target wants whatever is offered, clicks the link, and of course the link is actually malware. The hacker may even go through the effort of building a site and ‘selling’ something. This allows them to get money and payment information in addition to infecting the target’s computer or entire business network.
6. Quid Pro Quo
Then there are more insidious types of social hacking. Baiting and Quid Pro Quo offers the target something in return for opening the security gates. Quid Pro Quo translates roughly to ‘something for something’. In this form of social hacking, the hacker may directly offer the target a reward or offer in return for giving them access to the company’s network, specific data, or someone’s login information.
7. Piggybacking and Tailgating
Finally, there’s the ‘hold that door’ method of social hacking. This is most easily explained in a physical scenario. Piggybacking, also called tailgating, is when a hacker follows so closely after an employee as to gain access at the same time. In physical infiltration, this would be catching the door before it closes and slipping past the key-card lock security. In a digital sense, hackers may convince a target that they need access but are unable to log in themselves, or by hacking an employee’s computer or device then gaining accesss to private login information and company access from there.
Ready to harden your network and train your team to defend from social hacking? Contact us today!
