As technical security improves, human security vulnerabilities are increasingly in the bulls-eye. For a fresh look at social engineering, and how best to defend against it, there’s no better source than a hacker. So, I reached out to Cliff Smith, Ethical Hacker & CISSP at Parameter Security, for his take on the current social engineering battleground. Here’s what he shared:
Confidence games have been around forever. Is there anything fundamentally different about social engineering practiced by hackers?
Modern social engineering is no different than the classic con games. They all run on information, trust, and emotions. The biggest change in the past 20 years or so is that technology makes the attacker’s job much easier, for several reasons. First, a skilled practitioner can use countless tactics to make their first contact appear more legitimate, such as spoofing a message’s source or creating a legitimate-looking website. Second, the average user operates on autopilot much of the time when using their phones or computers. It’s so easy, for example, to click on a link without stopping to think about the danger, which makes phishing attacks much more likely to succeed. Third, technology makes the consequences of social engineering much more dire. In just a few clicks, you can accidentally ruin your financial life, or someone else’s.
It’s commonly understood that phishing is a problem, and that phishing is a deceptive email with a malicious link. Is it that simple, or are there other social engineering attacks to be concerned about?