How hackers use social engineering to steal your data
It starts out like any other day.
You’re at work, answering email and suddenly you see one from Amazon. Great news! Your order for $500 worth of designer luggage has just shipped. The only problem is, you didn’t buy any luggage from Amazon.
Panic sets in. “Who bought this stuff?” you wonder. “How did they hack my account?” you ask.
Then you see, right there in the email, a link to click on if you’d like to talk to customer service about your order. Almost without thinking you click on it and when you get to what looks like the Amazon landing page you login in to your account.
That’s when the hackers steal your Amazon login and password.
Congratulations. You’ve just been the victim of a social engineering tactic known as “Phishing,” and you’re not alone.
Attacks are on the rise
Since 2015, there’s been a steady increase in these methods. In fact, 91% of data breaches come from phishing attacks like this one, and the costs are enormous. By 2021 it’s estimated that organizations will spend $6 trillion a year on damages related to cybercrime.
Using ploys like we’ve just described above, hackers are able to trick users into handing over their login and password information. Typically, these take the form of emails that attempt to masquerade as legitimate businesses—such as banks, online retail stores or other trusted sources—that alert the user of some danger that requires them to login to their account. Ironically, it’s often the fear that they have already been hacked that motivates users to give their information away to the hackers.
The most common form of social engineering attack is the previously mentioned spear-phishing email. These often look very believable to the user, although there are typically a few tell-tale clues that can give hackers away, such as:
- The sender’s email address doesn’t match the business named. For example, an email from Amazon should be from something like firstname.lastname@example.org and not from “email@example.com” or “firstname.lastname@example.org.”
- The legal type at the bottom of the email is often not updated to reflect the current date.
- Typos are often scattered throughout the body of the email, betraying the fact that the hacker may not be familiar with the English language. An actual corporate email from a bank or online retailer would most likely not contain misspellings or sloppy sentence structure.
- Spear-phishing email clues:
- Phone call posing as a “Help desk” to gain privileged account info
- Social phishing—Using Facebook or LinkedIn (or other forms of social media) to send direct messages to a target in an attempt to trick them to clicking a link. Often uses hijacked friend accounts to look more believable. Super effective and dangerous.
- Physical breaches—Dumpster diving for passwords/sensitive info in your trash or dropping an infected USB drive in a public place where someone will pick it up and plug it into their computer.
Quick tips on how you can protect your customers?
- Use an email security solution that scans emails for spam and malicious content. Sandboxing capabilities preferred.
- Use web security solutions that protect users when they browse the web and inevitably click the link they shouldn’t.
- Train users to help people recognize these social engineering tactics.
- Never accept an invite on social media from someone you don’t personally know.
- Whenever someone sends you a link, check it by hovering your cursor over it without clicking it. If it looks suspicious, call the person who sent it to verify.
- Use two-factor authentication to eliminate weak passwords.
If you want to know more about how to protect your customers, download our free infographic or contact your Ingram Micro Professional Services team for insights on how to keep your customers safe from attacks like these.