Dealing with social engineering at times of uncertainty

Protest

Human failure is the single biggest contributing factor to security incidents, hacks and data breaches. Social engineers, cybercriminals that invest in human errors rather than technical vulnerabilities, are always on the lookout for exclusive opportunities to incite strong feelings in their targets and prod them to make a fatal mistake.

The anxiety and uncertainty surrounding the immigration ban in the U.S. provides the perfect climate for social engineering attacks, a fact that is largely ignored while the political aspects of the ban are being highlighted and fanned with ample frequency by the media.

Immigration and travel are associated with complicated vetting procedures and verification of sensitive information, information that hackers dearly covet. In fear and desperation of what their fate might be, targets of the ban will be more prone to making mistakes they would otherwise avoid and hand over their vital information to the wrong person.

The present situation is especially dangerous because of the parties that would capitalize the unstable climate to target immigrants and foreign nationals. Aside from fraudsters, data thieves and their ilk, who will target victims for financial and commercial gains, oppressive regimes will also have a track record to use social engineering techniques against dissidents and activists abroad, and there’s a likely chance that they’ll try to take advantage of the current climate to target their victims.

An attack does not necessarily have to deal visible damage to the victim in its early stages. Social engineers are a very patient and meticulous lot. They will monitor and profile their targets with care, gather information, and strike at the right moment.

Spear-phishing emails, messages with malicious content or intent but disguised as coming from a trusted and authoritative source, are the most likely type of attack that will rise under the current circumstances. With social media providing a treasure trove of information on individuals, attackers will have all they need to create a well targeted email to lure their victims into a trap.

It is now more convincing than ever to receive an email from the immigration office asking you to confirm your ID and information, or a message from the ACLU and support groups claiming to help protect you against deportation or some other unfavorable fate, especially if you happen to be abroad and aren’t sure whether you’ll be allowed to return to the U.S.

Therefore, be very careful when opening emails that come from supposedly official sources and claim to provide tips and help, especially if they ask you for any kind of information or encourage you to visit a website or download a file.

If you’re truly tempted to proceed with the provided guidance, do so very carefully. Check the authenticity of the claim with another source, such as the official website or phone number of the organization.

If you’ve never heard of the organization, ignore it altogether or do some thorough research before giving it any credence. All in all, the more tempting the offer looks, the more skeptical you should be.

Also, this is the best time to make sure your browser and antivirus are up-to-date, and your operating system is patched up.

But the attack vectors aren’t limited to emails. Malicious parties are also likely to set up their traps on social media, on fake Twitter accounts and Facebook pages. The thing with social media is that they’re not as strong as say Gmail when it comes to fighting spam. It’s natural to see new organizations and movements rise in wake of the travel ban in order to help people who might potentially be harmed. But never forget that others might also use the same disguise to lure you into traps, so look for some reviews and scam alerts before rushing to sign up for any of them.

Cybercriminal rings can also set up fake online ads and spend money on their scams, especially if they’re not after financial gains. In his recent TED Talk, Caleb Barlow, VP of IBM Security, gave some damning insights into how organized cybercrime has become.

“These criminal organizations operate like highly regimented, legitimate businesses,” Barlow says. “Their employees work Monday through Friday. They take the weekends off.”

In the highly anonymous world of online services, Barlow’s comments are another grim reminder that everyone is not who them seem to be.

In times of turmoil and uncertainty, you’re better off erring on the side of caution. Take a deep breath and think twice before running headlong into something that can spell your doom.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s