Ok well maybe I won’t give you a million dollars, but read this and it might save you and/or your company a lot of money and time. If this article’s title was a link in your email inbox, I’m sure you wouldn’t click on it, right? Unfortunately, the law of large numbers can, well, bite us in the rear.
If that same link was sent to hundreds of different inboxes, how many people do you think would click on it, if even just by accident or impulse? Just 1 percent click through rate represents a substantial number for one criminal’s nefarious activity. Clicking on these malicious links or attachments exposes you and your contacts to consequences ranging from innocuous spam to very malicious malware.
This scenario I have described is called “phishing” and it is under a broader category of attacks dubbed social engineering. It refers to any technique where an attacker exploits the trust of an individual for malicious intent. The 2016 Verizon Data Breach Digest reports that 20 percent of attacks contain this social element, and within this category, 72 percent of them involved email.
Put very simply, if you see an email that you did not expect and it urges you to click on a link or download an attachment, don’t do it. It can immediately compromise your computer by running computer code that takes, at most, seconds to complete.
I was recently targeted by a social engineering attack. I was called by a woman who claimed to be from Microsoft and wanted me to open up a remote connection from my computer to hers. I was aware of what this was from the start, but I admit that I was also curious, so I listened to her pitch.
She had me pull up a 32 character code on my computer that she said authenticated herself as a Microsoft employee, but a brief internet search quickly debunked that claim. Who knows what she would have loaded onto or extracted from my computer if she was able to set up a connection. As some advice, Microsoft will never call you, the end user. When these scams happen to you, you should hang up immediately, unless you want to mess with them a little. That can be fun too!
The individual is a critical link in cyber defense, because they are often the most vulnerable. The Verizon Digest states, “Threat actors who engage in social engineering attacks do it because they know that the human element is the weakest link in any information security strategy.”
If you take anything from this article take this, attempts to exploit our natural responses to sympathy, fear, curiosity, authority, expertise or haste should be immediately met with suspicion, especially when it is dealing with your personal or your company’s private information.
Connor Pate is an Information Assurance Analyst at the National Information Assurance Training and Education Center within Idaho State University