The Weak Link might be You: Social Engineering

Many, if not most, data breaches are not done by people with high-end computers crunching numbers and breaking passwords for weeks on end. Such people are always shown in the movies slaving away at a keyboard in their basements, doing something arcane and brilliant. Instead, a lot of cyber break-ins are done by the most mundane means imaginable: The Bad Guy asks for the information he wants, and the Good Guy gives it to him without thinking.

How is this possible? Simple. We, as flawed human beings, have a tendency to want to cooperate with people, especially those who are, or appear to be, Authorities. The person who claims to be from Tech Support, or Corporate Headquarters, or the police, or a doctor, or even a Professor, might just be some lowlife who is banking on your cooperation in order to take you for a ride.

We are also (at times) motivated by baser principles such as fear (The FBI has detected child porn on your computer!), greed (Help me smuggle $7.5 million out of the country, and I’ll split it with you!), vanity (You Deserve it!), desperation, or dishonesty. Sometimes, even our honorable traits are exploited as well; honesty (I’ll send you a check for more than the amount, just send me the difference!), compassion (I’m dying of a rare cancer, I have 6 months to live!), or simple credulity (It sounds true, why wouldn’t it be?). These are the characteristics of our psyches that con artists exploit.

The essence of the con game is the same as it’s always been-Once the mark has developed faith (confidence) in the crook, he’s wide open. The “information age” has only produced more opportunities for con artists. Consider this: Recently, someone was roaming a shopping mall offering people free iPads if they’d only give him their email passwords, and some actually did! In this case, it was a social experiment and no harm was done, but someone bent on social engineering for nefarious purposes would be able to do great harm with such a scheme.

Many cons begin with getting something into the mark’s hands that has a perceived value; A flash drive or CD dropped in a parking lot with a label that appeals to greed or curiosity is a trick that has been used to spread malware on corporate networks, for instance. A “Phishing” email that claims you’ve won a sweepstakes you don’t remember entering is another. In a 2003 survey, 90% of office workers gave what they claimed was their password in exchange for a cheap pen!

Your only defense? Question everything. Ask why a piece of information is needed. If it’s not needed, don’t give it. (This even goes for real authority figures!) Ask for credentials. Don’t install questionable software. Never, ever give your passwords out. That’s like handing a stranger your house key. And remember, There Ain’t No Such Thing As A Free Lunch.

For even more empowering technology info, read my new book, “Deciphering the 21st Century,” Available now!

Click here to read all about it.

Follow me on Twitter:

I’d love to hear your comments!

Advertisements