Social engineering – the art of hacking of human beings – is an age-old threat. But the meteoric rise of online social media usage has led to a new security challenge: social media engineering.
In this attack space, there are no Matrix-style hacker skills required. It’s not human vs. computer – it’s human vs. human, where a 19th-century snake oil salesman would do just fine.
Social media is not just one-to-one communication, but one-to-many, which greatly expands the “attack surface.” Criminals can spread malicious links across an entire organization, intelligence operatives can collect data from an entire population, politicians can steal an election, and fans of George Orwell know what permanent connectivity can do for overbearing governments.
All humans are vulnerable to social engineering. Some are harder to trick than others. However, in any large group of people, a few are guaranteed to fail the test. And it may not matter that victims can eventually discover the ruse, once the money is gone or the election is over, the hackers have moved on to other targets.
With social media engineering, there is no reason for a hacker to think small. Of course, a lonely citizen is fair game – they are too small to fight back. However, even a powerful nation-state agency is a good target – the bigger they are, the harder they fall – and social media provides a way to connect to each and every one of its human employees.
What is to be done? Should we force all citizens to access the Internet by true name? In free countries, there is no such rule because humans need some degree of online anonymity for personal and for political reasons. However, this also means that it can be difficult to know if an online account has been created solely for the purpose of social media engineering.
Here are a few security suggestions. First, consider your social media platform. Evaluate the company, its business practices, and your personal experience with it. Have you learned how to adjust its settings toward a more secure configuration? The unregulated nature of the Internet is an awesome thing, but the lack of a seatbelt enforcement policy in cyberspace means that you must figure these things out for yourself.
Second, evaluate the profile. Credibility is not just about quantity (i.e. how many followers) but quality (who is following?). Don’t be fooled by anything that can be copied and pasted. Countless men have fallen for a virtual Natasha only to discover a real Boris. The best hackers have the patience to create or to borrow a credible profile. And if you are a high-value target, an attacker may contact you in the guise of a colleague or a family member. A well-connected social media profile is a password and protocol to other humans.
Third, question the content. You and your common sense are the last line of defense. The attacker may have done his or her homework, and successfully placed a logical yet malicious link in your inbox or timeline. Remember, when you receive anything via the Internet that you did not specifically seek, you should apply not only your intelligence, but your wisdom as well. If it seems too good to be true, it probably is.