How would you break into a locked building? If your life depended upon doing so, how would you go about it?
Perhaps you would walk around the building, looking closely to discover any points of easy access. For your actual break-in, you might wait until night when everybody had gone home. Would you break a window to get in? That might be noisy and attract attention if there were people in the vicinity. Would you learn how to pick locks? Or perhaps you would find a “locksmith” to pick the lock for you. Is there any video surveillance that might give you away? Do you need to disable the video cameras? What about alarm systems?
Or perhaps you would try to bust the door down by brute force. In any event, it would probably take some planning and preparation. And you would need to get the timing right if you want to avoid getting caught.
But there’s an easier way. You could show up in a delivery van. You load your arms up with packages, balanced carefully. It is obvious to anyone watching, if you were to drop one, or put them down, that it would be hard to get them all picked up and balanced again.
Now, you approach the door just as someone else is entering or leaving the building. They hold the door for you because you clearly can’t open it yourself. MISSION ACCOMPLISHED! You just broke into the locked building!
Why do it the hard way when there is a much easier way?
Even though it is possible to break into computers by finding vulnerabilities in the systems and designing ways to take advantage of those, there is an easier way. Hack the Human!
If you can get a human to click on a link, or open an attachment…. Mission Accomplished!
Of course, there is still some technical work involved. The web page at the other end of the link needs to have malware on it so the computer that visits the page gets compromised. Or the attachment needs to include a way to compromise the computer. But, if you don’t have the skill to design the malware yourself, you can purchase it. There are even “do-it-yourself” kits that make it easy. All you need to do is install the kit, fill in a few blanks on a form and click on a button. Your new customized malware is created for you instantly. Now, all you need to do is get someone to open it.
Hacking a human is easy. All you need to do is take advantage of the way humans typically respond to things. You can appeal to their curiosity, incite worry or fear, or appeal to their desire to be helpful or to be a “good person.” This has a name. It’s called “social engineering.” Simply take advantage of human nature to get people to do what you want them to do.
Let’s look at some examples:
* Your bank account has been suspended. Please verify your information so you don’t lose all the money in your account.
* Receipt for your payment of $1,376.96 is enclosed.
(You didn’t authorize this payment, so you are worried)
* Delivery failed. Final notice.
* You have won. Your winning entry has been selected. Please claim your prize within the next 3 business days.
* Final chance to save 95%.
* Man finds way to never pay another electric bill.
* Contaminated food claims 37 lives. Recall notice. Important: Read this now!
* Re: your inquiry. More info needed.
* Service will be unavailable due to upgrade.
* Upgrade needed by end of month to continue receiving service.
Would you open any of these? If you say “No,” consider a situation where the subject line happened to be one that was especially relevant and interesting to you. Would you open it then?
What if it was related to something you were in the middle of, possibly a transaction, a conversation, or an event? Would you consider the possibility that it wasn’t legitimate?
How do you avoid becoming a victim of these attempts?
One important way is to be aware of the types of ways that people try to “hack” you.
There are two sides to this. Consider the following: You get a phone call saying that you owe the IRS money and that there is a warrant for your arrest, but you can avoid being arrested if you respond now. But you have heard that this is a scam. Now, when you get the call, you automatically know it is a scam because you have heard about it before.
But maybe you haven’t heard about that particular scam. Yet, if you know the kinds of things to look out for, you can still avoid being duped. For example, if you know that the IRS doesn’t make phone calls threatening arrest, or if you know that they will have contacted you by mail to clear up a matter before taking further action, you are likely to be suspicious if you receive that threatening phone call.
So, you may know about the exact scam itself. Or you may only know about the kinds of ways that criminals try to fool you. Either way, when that call comes, you are at least suspicious and are less likely to let the criminal manipulate you into giving him what he wants.
Computers can be hacked by technical methods or by human methods. Often, a combination of both are used.
You should put measures in place to protect against technical hacks. Software to deal with malware is one of those measures. But, even if you protect the systems themselves, you are still vulnerable to attempts to hack the human.
By making yourself harder to hack, by resisting the methods used to get you to give the hacker the things that they want, you close the biggest and easiest way for them to get into your computer or for them to get the information and resources they want.
You do this by becoming aware of how they might take advantage of you and by remaining alert for any attempts to do so.