The concept of social engineering is likely about as familiar to most legal professionals as the term “social distancing” was before the pandemic — which is to say, not at all.
This is unfortunate because social engineering is one of the most common methods of cyberhacking. Legal professionals need to know how to protect themselves.
Many of us, especially the less tech-savvy, still think of hacking in terms of what we see in popular entertainment. The typical scene is some tech genius typing furiously at a computer, trying to hack into a system by brute force, then triumphantly shouting “I’m in!” Sound familiar?
But the reality is that most hacking happens with phishing emails and fraudulent Facebook surveys. The goal of these less cinematic tactics is to trick the recipient into taking some action that compromises their security.
That’s what we mean when we talk about social engineering.
What is social engineering?
The term “social engineering” refers to human interactions which use psychological manipulation to trick victims into providing sensitive information or making security mistakes. Instead of relying on vulnerabilities in software or systems, social engineering attempts to induce mistakes by legitimate users.
This makes these attacks much more difficult to identify and stop.
Social engineering attacks are more common during times of upheaval and uncertainty since it becomes easier to play on people’s emotions.
The COVID-19 pandemic has presented exactly such an opportunity to attackers. Unfortunately, these attacks will continue even as the pandemic subsides.
Top social engineering attacks
While there are a wide variety of social engineering attacks, the following are some of the most common types.
Phishing
Phishing attacks are the most common form of social engineering ploys.
Phishing emails seek to trick you into entering login information, thus giving access to the hackers. They may appear to come from a trustworthy source such as your bank. The email asks you to click a link that takes you to a fake login page. When you enter your credentials, the hackers capture your username and password.
Another type of phishing message includes a link to a website that will infect your computer with malicious software (malware). The link looks legitimate, but it actually starts the download.
A spear phishing attack targets a single person within a company. Typically the message purports to be from a colleague or higher-up at the company, while using the same phishing tactic of asking for login information or including a malicious link.
Baiting
Baiting schemes use some form of bait, either physical or digital, to lure victims into a trap.
One of the most common baiting tactics is leaving a flash drive in a conspicuous area. When someone picks up the flash drive and inserts it into their computer out of curiosity, malware is installed on the system.
Digital baiting can also include online ads that lead to malicious sites or encourage malware downloads. Remember those old internet pop-ups that said you just won $100,000? Those were baiting attempts.
Vishing and smishing
As the names suggest, vishing and smishing are variations of phishing, just using media other than email.
Vishing, also known as ‘voice phishing,’ refers to voice calls from scammers posing as legitimate entities and asking for sensitive information. You might get a call from “The IRS” asking you to verify your personal tax information, for example.
Smishing is done via SMS messages — otherwise known as text messages — and utilizes the phishing email formula of asking for login information or including malicious links. For example, you can get a text message from “Your Bank” that claims there was a hacking attempt and asks you to log in and verify your security details.
Pretexting
Pretexting schemes are attempts to gain information through one or more pretexts such as needing to verify your identity.
The perpetrator will attempt to impersonate some authority figure, such as a police officer, banking official, or tax authority. Hackers aim to obtain sensitive information such as social security numbers or personal addresses.
While pretexting is often done in person, over the phone, or via email, it could also be in the form of an internet survey asking for private information such as bank account details.
Scareware
Scareware tactics involve false alarms and fictitious threats about the user’s system being infected with malware.
A common example is the popup ad appearing while you are internet browsing, warning that your computer may be infected with spyware. When clicked, the ad or message will then either install malware itself or direct the user to a malicious website.
How to protect against social engineering attacks
While all social engineering attacks can be hard to detect, there are some simple precautions legal professionals can take to protect themselves.
Check the source of the communication
When you receive an unusual communication or item, check the source of that information. Identify the source or confirm they are who they purport to be before blindly providing information or plugging that USB drive into your computer.
When in doubt, reach out to the institution directly using contact information you can verify. In other words, if you get a text from your bank about suspicious activity in your account, go directly to the bank website that you always use for online banking and contact support through a known channel to check what’s going on.
For emails, check the email header and compare it to valid emails from that same source. Watch out for replacements like zeroes for the letter “o” or nearly legitimate addresses. If your bank always emails from addresses that end in @yourbank.com, then you should be wary of messages coming from @yourbank.info.com instead.
Spelling and grammatical errors are also often signs of fraudulent messages. If the language doesn’t sound natural or there are lots of errors, it’s probably not a legitimate message.
Avoid links and downloads
Always be wary of links and downloads from senders you do not recognize.
Also, if you do recognize the sender but you’re not expecting a file from them, check with that person before you click on anything.
The best practice is to never download anything from a message unless you know the sender personally and are expecting a file from them. Hover your cursor over links to see where they go without clicking on them.
Use secure websites
Before providing any confidential or sensitive information, always first check that you are on a secure website.
Pay attention to security prompts from your browser, which will inform you the browser cannot validate the authenticity of the website’s security certificate. Check to see if the URL starts with HTTPS:// instead of just HTTP:// — that “S” in the beginning lets you know that the site has a security certificate.
Use multi-factor authentication
Multi-factor authentication is a method that requires the user to provide one or more additional verification factors to gain access, beyond just a username and password. It is an excellent line of defense against social engineering attacks.
If one of the additional factors is a numerical code texted to your phone, for example, the hacker will not be able to obtain that information unless they ask you for it. That’s why it’s so important to never share your passwords or security codes.
Multi-factor authentication is more secure than security questions because the code is different every time you log in. Someone might be able to guess your password or find answers to security questions, but even you don’t know the code you’ll need to access your account each time.
Consider anti-virus software
Anti-virus software can protect your computer from many threats, as well as provide warnings for suspicious websites.
Modern operating systems have a lot of antivirus features built in, but that doesn’t mean that you don’t need another layer of protection. It’s a good idea to install an antivirus program on any device where you’ll deal with sensitive information.
Don’t participate in social media quizzes or question posts
As a legal professional, you must be especially careful about what you post to social media.
You already know to keep political commentary off of your professional pages and to be mindful of the tone of your posts. What about those seemingly innocuous quiz posts, though?
Posts that ask about your first job, your kids, your age, or any number of other seemingly innocent details are common social engineering tools that are designed to get you used to oversharing on the internet.
Don’t share those long questionnaire posts, the “never have I ever” posts, or even comment on seemingly harmless posts that say things like “I bet you can’t name a color with the letter E in it” because each of those types of posts are designed to condition you to share more details. The more you interact with that type of content, the more of it you see, and the more likely you are to give a hacker your details.
The bottom line
While social engineering attacks are increasingly common and hard to detect, this does not mean you should throw up their hands in despair. Follow these basic guidelines to protect yourself and your firm from cyber security threats.
- Learn about phishing and be wary of all messages that ask you to click a link or share information
- Keep your antivirus software up to date
- Use secure passwords and multi-factor authentication
- Use social media carefully and don’t answer any questions publicly
If your firm ever experiences a hack, don’t panic. There are steps you can take to move forward.
Most importantly, though, be mindful of the information you share, both intentionally and accidentally. Don’t use easy-to-find information (your birthday, your anniversary, your favorite band, etc.) as passwords or security question answers, and if you’re ever in doubt, change your password immediately.
