Halloween is a time when people of all ages dress up as something spooky that they’re really not. For the scariest of hackers, every day is like a reverse Halloween as they try to scam victims by pretending to be someone safe and trustworthy--a persona that they’re really not. This Halloween, don’t get tricked by the haunted hack!
Tricks of this nature are categorized as social engineering, and unlike a child dressed as a ghoul on Halloween, scams of the social-engineering variety are much more difficult to spot. When it comes to protecting yourself from these targeted scams, it’s imperative that you know what to look for. Also, in the same way you check your kid’s trick-or-treat candy for anything that might be harmful, you need to view unsolicited digital communications with a degree of healthy skepticism.
Unfortunately, social engineering tactics like phishing scams work, which is why hackers increasingly use them. This begs the question; why is it that users so easily fall for these scams, even if they’re aware of the security risks? Researchers from the University of Erlangen-Nuremberg in Germany sought to find this out by studying the reasons why people click on malicious links.
The findings were presented by Zinaida Benenson at the most recent Black Hat convention in Las Vegas. Benenson attributed the “success” of a malicious link to the hacker’s ability to understand the circumstances of the scam, and personalizing the link to appeal to their victim. “By a careful design and timing of the message, it should be possible to make virtually any person to click on a link, as any person will be curious about something, or interested in some topic, or find themselves in a life situation that fits the message content and context."
Translation; even with proactive training and education, the best employee could potentially click on a link if doing so fits into their current interests or piques their curiosity. ZDNet uses the example of a partygoer who attended a recent event and then receives an email containing a link to photos of the party. Naturally, the user will want to click on the link, regardless of where it’s from. In this example, the hacker effectively appeals to the natural curiosity of what might be contained within; when coupled with such personalized context, it’s almost guaranteed that they’ll click it.
Another example would be an employee who’s experiencing technical trouble with a workstation. They’ll then receive an email from “tech support” suggesting they click on a link and download remote access software. If the employee is frustrated and they can’t get their PC to work properly, they will follow the email’s instructions for two reasons: 1) The context fits the situation, and 2) People tend to trust tech support.
Like the work it takes to create an impressive Halloween costume, these hacks rely on a level of preparation and cunning by the hackers. This kind of personalized attention makes social engineering scams particularly challenging to protect oneself against.
Essentially, the possibilities for you and your employees to be tricked by spear phishing attacks and end-user errors are limitless, so long as a hacker knows how to appeal to what a user cares about. At the end of the day, having a staff that knows how to spot a trick, and a network that’s free from scary threats, is the greatest treat a business owner can ask for.
Have a safe and Happy Halloween from all of us at Machado Consulting.