Almost every day there is a news story about this company or that individual having their personal or confidential information hacked. Because we live in a connected world, with so much data being stored about us on the Internet and in private databases, everyone should be concerned about keeping their data secure.
Security takes on two sides: technology providing security and the individual (or organization) implementing secure practices and procedures. No technology can fully secure you and your organization. Using a layered approach, technology can achieve good security, protecting you most of the time. Hackers know that most people and organizations have security measures in place, so they focus on the individuals, using social engineering. In this blog, we've discussed the human side of security several times here and here.
Because social engineering still can be so successful against users, attackers continue to use it all the time. Here are some examples how social engineering works:
- The hacker researches a business, discovering the email addresses and names of several employees, including the CEO and controller or accounting manager, and possibly some client names. They craft well written emails that look just like they are coming from the CEO, sending it to the controller requesting a wire transfer to a client or vendor to a specific bank account. If there aren't proper controls in place inside the organization, the controller initiates the wire transfer and the company losses significant amount of money. This is called spear phishing, because it is targeted directly at a set of individuals.
- The hacker registers a domain name similar to a large organization, for example Bank of America. The domain is close enough to the real name, such as www.bankofamerica.co, that the user can't easily tell it's not the real site. They send out large amounts of emails to people telling them that their password has expired and needs to be updated. The link goes to a website that looks exactly like Bank of America's site, but is the hacker's site and it registers the username and password that the user puts in. They now have access to your bank accounts. This is email phishing.
- Another way is the hacker calls individuals inside the organization posing as a vendor or another employee and requests some potentially confidential information. Appearing to be legitimate, the users disclose information that can allow them hacker to gain access to the network or computer systems.
There are many more ways hackers can potentially get access into your network, without having to break through your firewalls, virus protection, and all the other technological safeguards you have put in place.
If you have been a victim of hacking, you should report it to the authorities. The FBI will investigate hacking and social engineering. You can also report hacking attempts to IC3 which logs and tracks hacking and other security problems in a database that they use to find and prosecute hackers.
It is best to use common sense when online. If something doesn't look right, ask a professional. Most companies will not send you emails requesting you update your account credentials. You can also contact the companies by phone to find out if the email or request is legitimate.
There has been a recent surge in phishing and social engineering attempts. If you would like more information or training for your company on how to avoid these hacking issues, Stimulus Technologies offers free seminars tailored specifically for you and your staff. Contact our office for more information and we will schedule a seminar with you.