While most people think of hacking as an attack against a website exploiting a vulnerability, in reality, hacking can be as simple as asking for a password. Today's hackers have realized that social engineering a user to give up his or her password may be the easiest way into an organization. The term social engineering refers to the "psychological manipulation of people into performing actions or divulging confidential information." And, it is important to understand this type of attack can occur via email, phone or even in person.

Phishing is a common type of social engineering done via email. We have undoubtedly all seen these types of emails. Historically, they were easy to identify (the Nigerian Prince emails come to mind). But these days, the bad guys will make their message far more polished with a plausible backstory, and timed around current events. For example, phishing emails purporting to be from the IRS always peak around April 15. Social engineering attacks also occur by phone.¹ Attackers will perform reconnaissance on their targets and pretend to be a business associate or other trustworthy party. They may also spoof the caller ID, making the number match the person they are impersonating. They may even conduct an attack in person by having a background story in place and dress to "look the part." Attackers will also leverage malware, sent as email attachments or via malicious websites. If they can get this malware on your computer, it can allow them to see everything you type (this is known as a keylogger).

Password reset questions can be another avenue for attack. While an attacker may not know your password, they may be able to use publically available information against you. Security questions, such as where you went to high school, your mother's maiden name or previous street address, can often be discovered on the Internet. If the attacker can provide the answers to these questions, then they can easily reset your password to access your account.

Typically, people are not great at remembering passwords, and the bad guys know this. Most of us likely have three to five passwords we reuse for all of our website access. If an attacker compromises your password through another method (i.e., website attack, social engineering, etc.) they will try these credentials at other sites because it is likely to provide them access.

Finally, we know surfing the Web at a public Wi-Fi hotspot can put our data at risk. Over an unencrypted Wi-Fi link, everything you type is clearly viewable to those around you. And, when you're in a public setting, it can be difficult or impossible to determine if the hotspot you've connected to is illegitimate or has been compromised. If you unknowingly connect to an illicit hotspot, the attacker can silently redirect secure traffic to a normal HTTP (unsecure) connection, allowing all information to be viewed.

With an abundance of additional access points for hackers to breach, how can you ensure that your system remains secure? Please contact a CNA representative to learn how risk controls can be tailored to your business or visit www.cna.com/cyberliability.
    

¹Tech Insider: Phone Number Spoofing