Protected Voices: Social Engineering

Protected Voices: Social Engineering


Hello, I’m Jay, a special agent with the
FBI. Welcome to social engineering—or, more bluntly,
targeted lies designed to get you to let your guard down. Social engineering is the most common technique
deployed by criminals, adversaries, competitors, and spies to exploit humans and computer networks. That’s because it’s all too simple—you don’t
need any technical skills to be successful. Social engineering is the use of deception,
through manipulation of human behavior, to target and manipulate you into divulging confidential
or personal information and using it for fraudulent purposes. In the context of information security, social
engineering might also mean psychologically manipulating people to take action to inadvertently
give adversaries access to protected information or assets. Social engineering can also be used to embarrass
and humiliate campaigns, voter groups, and others. Phishing, phishing campaigns and spear-phishing
are just a few examples of social engineering. Phishing is the fraudulent practice of sending
an email, which appears to come from a reputable source, to lure someone to reveal personal
information or click on a link. Just like when you go fishing, you throw a
hook into a body of water to bait a fish to bite on the hook. In this case that’s done by a malicious
email. Phishing campaigns generally target a group
of individuals or companies by sending multiple fraudulent, but enticing emails, in the hope
that at least one person falls for the bait. These emails are often designed to look official—as
if coming from your campaign itself, a trusted vendor, donor, or other known sender. Spear-phishing, on the other hand, is a very
targeted and customized email to lure the targeted victim to take action. Typically the adversary has done some research
on the victim to understand what would make this specific person fall for the scam. Criminal and foreign sponsored governments,
cyber adversaries, use spear-phishing emails to get access to protected networks. Sometimes simply dropping the name of someone
the target knows is enough to lower their guard. So let’s talk about how and why cyber adversaries
prefer social engineering tactics. It’s easy, low cost, and widely successful. It’s easy because there are off-the-shelf
apps or social-engineering exploitation kits available online. These kits aggregate open-source information
about you from various social media sites to help the attacker craft a highly convincing
spear-phish email. Cyber advisories can also mirror a legitimate
website by using off-the-shelf tools, so that they can direct you to a fake website that
looks authentic to capture your login credentials. And sometimes, the phishing needs no technology
at all beyond a well-written email, with just enough social finesse to get you to reveal
sensitive information. If you download a malicious email attachment
or click on a malicious link or log in to a fake mirrored website, you might be letting
an attacker sneak past even the most robust cybersecurity defenses. Depending on the structure of your computer
network, a successful phishing attack could compromise your entire network. So, how can you minimize your risk of becoming
a victim? Two simple techniques will help you guard
against these attacks. First, before you open an email attachment
or click on a link, even from people you know, look at the email header to see exactly what
the sender’s email address is. Adversaries often change one letter, symbol
or number in an email address so that it closely resembles a legitimate email address. If you don’t see that tiny change, you may
be replying to a cyber adversary instead of a trusted friend. The same thing is true for embedded links. Hover your mouse over the link, and make sure
it doesn’t have any masquerading characters. Second, be careful when handling emails that
contain attachments. If you don’t know the sender, call the person
before you open it. If you do know the sender but weren’t expecting
an attachment, call the person before you open the attachment. When possible, avoid using the phone number
listed in the email. Also, avoid opening emails on mission-critical
systems, where sensitive data resides. An infection on such a system may result in
significant loss of information. These techniques sound pretty simple. But in the context of political campaigns,
it can be challenging to abide by them, particularly because you’re constantly communicating
with constituents, most of whom you don’t know personally. So, how can you balance your critical need
to communicate with constituents against your need to safeguard your computer networks? Training and creating awareness is one of
the most important steps your campaign can take. It’s extremely important for your campaign
to educate staff and volunteers about social engineering as an attack vector. That puts your staff in a better position
to detect these attempts and avoid becoming victims. You can get as creative as you want to deliver
these training sessions. We’ve seen some organizations send out controlled
phishing emails to their employees to determine if extra training is required for those who
have trouble identifying phishing emails. You may also want to provide reference sheets
or training videos about social engineering. Encourage campaign staff and volunteers to
think about all the information they’re publicly sharing on social media and review
and restrict privacy settings on social media accounts regularly. Information that seems innocuous—such as
office locations, meeting date and times, names of people written on a whiteboard in
the background of a selfie shared online—can give adversaries information they can use
to target you. Adversaries may also target your personal
email accounts and might even try to connect with you on social media. As a general rule, don’t accept friend requests
from people you don’t know. At the end of the day, you, the human user,
are the first line of defense against social engineering attacks. Your campaign should consider educating all
staff and volunteers about how social engineering works and the harm it can cause. The more training, the better. Make it a regular part of your campaign week. Ask your colleagues to watch this video, or
pass the information to them yourselves. The social engineering tips won’t keep your
campaign’s information systems safe from every kind of cyber threat, but they will
help you significantly minimize your risk. Remember, your voice matters, so protect it.

Leave a Reply

Your email address will not be published. Required fields are marked *