Spreading malware such as CryptoLocker is the cowardly, distant method for breaching a victim's data security and extorting money out of them. By comparison, social engineering is the method a bold-faced, audacious hacker will employ. It often involves the hacker directly tricking the victim via a manipulative phone call conversation.
As with malware scams, and with any scam, really, knowledge is the strongest preventative measure. The FTC offers guidelines on how to identify and cope with the tech support scams born from social engineering.
The practice is based on phone calls and one-on-one interactions, which translates directly into the hacker attempting to manipulate their victim the way a puppetmaster wriggles strings on his fingers to make a puppet dance. Their devious plan is have the puppet jive its way into transferring their money into the puppetmaster's coffers, one way or another.
Fortunately, the puppet in this case is not entirely powerless.
But let's not kid ourselves - the hackers, the puppetmasters are the ones in a position of power here. Through public directories, these scammers can obtain a victim's name and basic information. They use that as leverage to gain the victim's trust when the call begins. To inflate that trust, they falsely associate themselves with a legitimate company.
If the victim is fooled, the hacker proceeds to the next phase, attempting to convince the victim that their computer has a "problem." They'll describe this problem using a myriad of technical computer jargon that makes no sense, is too advanced for non-tech savvy people to understand, or both.
To "solve" the non-existent problem, the hacker may request remote access to the victim's computer, access to the victim's credit card information and passwords, or trick the victim into downloading malware. Either way, the end goal is the same: to steal money.
So how does the lowly puppet fight back against the all-powerful puppetmaster? Simply put, the theft must be prevented before it can even get started.
The scammer relies on the victim to provide them sensitive personal information, and the victim is motivated to do so out of fear. The fear arises from the threat of a "problem" with their a computer; a "problem" purported to exist only by the scammer in his social engineering act.
The victim must not feel fear. The confidence to remain calm comes from basking in bits of knowledge that nullify socially engineered scams:
- A caller who creates an insane sense of urgency or applies abnormally high pressure is likely a scammer. Hang up.
- Legitimate organizations do not ask for passwords on the phone. Hang up.
- If they're peddling the sale of a security product or associate a subscription free with the call itself, hang up.
- As with any other situation, be very cautious of who you provide your credit card or financial information to. If the call is from someone that appears overly eager to procure your card number, hang up.
- Don't allow remote access. Especially not to anyone who calls randomly.
- Register your number with the National Do Not Call Registry. It's intended to block unwanted telemarketers, but that will make it all the more obvious when you get the rare call looking to scam you (which can be reported)
Prevention isn't always possible. Some of these puppetmasters have been around the block quite a bit, mastering the ways of stringing along their puppets. But there are still possible measures to take, even after the victim suspects they've taken the bait on a scam.
- Use legitimate security software to scan your computer for any possilbe malware, and delete it all.
- Change passwords you may have given. If you use the same password across multiple accounts, change it for all of these accounts.
- If you gave your credit card number, check statements for bogus purchases and call the card provider to reverse the charges.
- If you gave personal information, be wary of possible identity theft.
Ultimately, socially engineered hacking relies on the victim being naive, gullible, and generally uninformed. Adopting a healthy sense of skepticism, a tendency to be protective of personal information, and a little bit of knowledge of preventative measures can go a long way toward severing an encroaching puppet master's strings on your assets.
Featured Image base: http://webzine.demezathor.fr/les-10-strategies-de-manipulation-de-masse/