As companies have improved their technical security controls, criminals are using a new method to get their hands on confidential info: asking users to grant them access.
So-called “social engineering” is the tactic du jour of hackers — rather than find ways around organizations’ technology-based security screens, they trick employees into opening the doors.
A recent story on CSO Online outlines four ways today’s cybercriminals are exploiting users to get access to sensitive information:
1. Changing communication methods
By now, many folks know not to trust every e-mail they receive. So social engineering attacks are often conducted by contacting the victim in other ways.
Some examples: paper fliers that direct people malicious websites, voice mails asking folks to call back and leave sensitive financial info, and free USB drives that contain viruses.
2. Making it personally relevant
One way criminals have had success getting victims to open e-mails: crafting messages that connect on a personal level.
That’s been a popular ruse for some time, but lately hackers have gone so far as figuring out where a victim is located so they can, for example, send e-mails claiming to report on breaking local news. The messages, of course, link to malicious websites.
3. Using their friends
As Facebook’s become a big hit with users, it’s gotten pretty popular with criminals as well. The latest round of attacks spreads malware by sending users a link via a Facebook message. When users click on it, their accounts are hijacked and the message is sent to everyone on their friends list.
Attacks like this work because the messages look like they’re from a friend. Many users don’t yet understand that’s not always the case.
4. Using their security fears
If folks are more alert about data security threats, then hackers can use that to their advantage.
Lately, so-called “scareware” attacks have been making the rounds, in which a user will get a message that their anti-virus software is out of date. When they click the click to install the new software, a virus is downloaded.
Software’s not enough
The solution? Experts warn data security pros that technical security solutions aren’t enough these days.
Those tools must be combined with user training that helps everyone in the organization recognize and avoid threats.