The danger of Social Engineering
I guess it is safe to say that the internet has been a game-changer for humanity since its dawn.
Billions of possibilities have been opened up for everyone. Free knowledge and information are available for all of us. We can communicate and collaborate and be closer to more people than ever before. Sharing thoughts and goods and passion is part of the freedom of the internet. And last but not least:
Time and distance don´t matter online.
But as with most things, the internet is binary after all.
It is not all about sunshine and happiness. Real-world issues like crimes are part of the internet as well. Criminals are enjoying the internet as much as regular people. Tricksters and fraudsters adjusted their offline methods to make them work online as well.
Never forget: Individuals with bad intentions are attracted by the possibilities of the internet too.
What is Social Engineering?
Social Engineering is a form of hacking that is based on building trust between the attacker and the target.
It is nothing new and has been in place since humanity, but it has been adapted by the fraudsters to fit internet-based communication.
It is different from classical hacking, where a hacker tries to intrude a system through a security vulnerability. Social Engineering does not rely on technology but rather psychology.
What is the goal of Social Engineering?
As already stated, Social Engineers concentrate on people rather than on systems. Therefore it is no surprise that the word "Social" is part of the name of this kind of crime.
But in any case, they are not acting social – they are tricksters who fool people into giving out vital information or perform sensitive tasks wanted by the criminal that they do not already have access to.
But what do they want? The short answer is most likely that they want to have more money after the attack than they had before.
In a little more detail it could read like that:
Criminals try to get money directly or indirectly by trying to access information or getting the possibility to spread malware into systems. This can result in blackmailing or any other form of getting an advantage.
Still, whatever it is in a single case, it is illegal, and it is harmful to people and companies.
Different shades of Social Engineering
Social Engineering is a generic term for different methods of tricking people into giving the fraudsters what they want.
There are many known ways of Social Engineering. They can be anything from Vishing, Phishing, Spear Phishing, Baiting, Quid pro quo to simply asking for a favor.
To give you a better understanding, here are a couple of examples:
In the Knowledge Base article TeamViewer and scamming we warn people about a Vishing attack. Here it is a scammer attempting to sell their services via phone by claiming that your device is infected by malware. The "V" in Vishing stands for Voice - as the scammers tend to give their victims a phone call or even wait for the victims to call them from fraudulent popups and ads that appear on a website.
An example of Phishing might be an email you allegedly receive from a colleague or friend telling you to click that link or open that attachment to see exciting, funny, important, or even controversial content of any kind. Because you trust your friend, you open the compromised attachment or click a link to a malicious website. But the bitter truth is that your friend never sent the email to you. It was a fraudster claiming to be your friend and trying to trick you by hoping you would not question what a friend or colleague will be sending you.
Very similar to this Phishing is Spear Phishing.
When it comes to Spear Phishing, you might receive an email from "your" bank saying your account has been blocked due to some irregular actions. They ask you to verify your account before it is being shut down completely. You only have to click a link and enter your banking credentials. But if you do this - the criminals have your data. Because: Your bank did not send this mail, and your account is not blocked. It was only a lie and they try to make you give them your bank details - by putting extra pressure on you with the threat that your bank account will be blocked.
Isn't there an "Internet Police"?
No - currently, there is no such thing as an official Internet Police. While some countries and some organizations started initiatives to fight cybercrime, there is no official or internet-wide collaboration against crimes, fraud, propaganda, or other illegal activities.
But even if we had police officers and officials all around the internet to protect and serve us as we do have in the real world - we would still need to watch out carefully when being online.
For sure - you have the same rights and obligations online than offline, and you can always reach out to your local police station in case help is needed.
However - you must understand that being online requires being cautious.
Are there ways to avoid being tricked by Social Engineering?
It is difficult to spot a Social Engineering attempt, which makes these threats especially devious.
In any case, you can increase your awareness of Social Engineering and arm yourself with knowledge.
Your best defense against an attack is to be prepared. You can not only educate yourself but also educate all your friends, family, and colleagues by raising their awareness of this topic. The more people are aware and alerted, the harder we make it for any scammer, fraudster, trickster, hacker, and Social Engineer.
At TeamViewer, we want to help you to be prepared for any potential scam attacks.
The 5 golden rules to protect against Social Engineering
Recognize it is real
The first thing is to make yourself aware that scams and Social Engineering attacks are real and that anyone can be targeted.
With this knowledge, you already made it half-way through your protection.
Stay alert
The next step is to stay alert and if you have the feeling that something isn't right or sounds too good to be true - remind yourself about what you know about Social Engineering: maybe someone is trying to trick you and take advantage of you.
If you ever find a USB Stick you find in front of your office, do not plug it into your computer to find out who lost it. Rather bring it directly to a technical expert and explain to them where you found it. Chances are that a fraudster placed it with the hope that you would find it and plug it into your computer and with this – give him access to your company network. This scam is called USB baiting and can cause severe damage to your company.
You should also keep in mind, there is no prince out there who needs your help and will pay you millions back if you do him a favor right now. An email saying this is a Quid pro quo scam. Don't be fooled by this.
Stay calm
If you are getting a suspicious phone call or email, it is better to hang up the phone, delete the email or shut down your computer and take a break to reflect on what occurred. And no worries- it is not rude to simply hang up.
Slow down and take your time to think about what happened. Does it really sound plausible? Do you have any way to prove whether what they want to make you believe is correct?
Do not let anybody rush you and force you to make a decision you have not thought through completely. And never wire money to a caller or someone who reached out to you. Do not make a bank transfer, never do any gift card payments or any other form of virtual payment you have been asked to do.
These days there is no such thing as being "too security-aware".
Question everything
You should always question information, question emails and their senders, and question any offers you are getting. And think twice when sharing any of your data. Unless you are certain who you are speaking to and that the specific information you are asked to give is needed, refuse to give out any information or personal data.
It might slow down your pace a bit, but it is safer for you, your family, and your company. And not being tricked by a criminal will save you a lot of time and trouble in the long run.
Do not click on hyperlinks in suspicious emails. I know - it is so easy and saves so much time but typing in the URL on your own is necessary to ensure you are navigating to the trustworthy website. Remember that phishing websites can look exactly like the website you were looking for.
Use software to help you
Make sure to install proper software to help you protect yourself.
Keep your software up-to-date and install security patches as soon as they are available. Download software directly from the company website.
Running the latest version of an operating system and software is a significant pillar of keeping yourself secure. And never underestimate the benefits of having a robust antivirus software. It can assist you in recognizing hacking attempts.
You must know that there is no software out there that can protect you with 100% from Social Engineering. It is you! Only you can protect yourself by being aware of Social Engineering. Software can only support you.
Closing remarks
I attach great importance to security awareness because it is an essential topic. At the same time, I want to stress that there are many good people out there and that you should never lose your trust in humanity– while staying attentive. You can both enjoy the internet and protect yourself. One does not exclude the other.
Thank you and stay safe!
Esther
Former Community Manager
Comments
-
teamviewer is good
1 -
There's a very thin line between "Remote Access" and "Remote Access Trojan"; IMO, TeamViewer falls just on the right side of this line, and **Third Party Product** falls on the wrong side.
There's also conflict between Admin-Uber-Alles "support", vs. client-centric support (which is how I use TeamViewer). Software features for the first, e.g. auto-running macros in Office "documents", the TeamViewer "black screen" feature, etc. are bad for the second safety model, where the support side aims to respect client autonomy, privacy, and their full rights over the systems they own.
Social Engineering is a notorious way to harness legit "remote admin" facilities for RAT purposes, without needing software that would be detected as a RAT. Single-file tools are easy to co-opt and include within malicious packages, which is why tools such as these (as well as Nirsoft's tools) may be detected as PUPs by defenseware.
So, it's a tricky tightrope to walk; ensuring client-side software isn't detected and removed as PUPs, spotting malicious unintended/unattended/bot-automated use, etc.
As a remote-access vendor, TeamViewer has to decide on priorities across this usage spectrum. Should they compete with **Third Party Product** by being easier for "admins" to use, with or without client control, or by elevating client-side control so "support" is less able to fiddle around without their knowledge or consent? Like Johnny Cash, you have to "walk the line".
0