Connect with us

Hi, what are you looking for?



2020 Rings in a New Era of Cyber Attacks – and it’s Getting Personal

Recently, I finished a great audiobook by the famed hacker Kevin Mitnick, called “Ghost in the Wires”, where he details his exploits in using social engineering techniques to hack phone systems. For the most part, he used old school methods that involved research, cold calling and convincing people he should have access to their systems.

Recently, I finished a great audiobook by the famed hacker Kevin Mitnick, called “Ghost in the Wires”, where he details his exploits in using social engineering techniques to hack phone systems. For the most part, he used old school methods that involved research, cold calling and convincing people he should have access to their systems. Success was predicated on his skill in manipulation – and the fact that most people inherently want to trust others.

Fast forward to 2020 and social engineering is essentially the same, relying on the techniques pioneered by Mitnick and his peers. The major differences now are that technology and scale play a greater part in the success of today’s attacks.

In a few of my recent articles, I warned about the growth potential for attacks in the coming year and explored some of the methods being adopted by attackers that use technology to ensure greater success.

Many of us are familiar with the two most common types of socially engineered attacks – phishing and spear-phishing – but there are many more to be aware of, including:

• Baiting, for example. The age-old story of a hacker leaving a USB device in a carpark, hoping that someone will pick it up and connect to their computer, may sound like the stuff of Hollywood, but it is a surprisingly common attack that has even been used successfully on USB devices given away at computing conferences. Once connected, the USB device will appear to be safe, perhaps containing music or videos. However, it is instead attempting to inject malicious software into the host device.

So, how can a baiting attack be avoided? By never blindly connecting an unknown USB device to your computer. If you do decide to trust the device, make sure you have the latest anti-virus software installed and set to “scan connected devices automatically” to prevent known malware infections.

• Pretexting covers several different attacks using emails, texts or phone calls. The attacker will pose as an authority with the intention of leveraging this authority to gain access to private, corporate or personal high value information. For example, in an attack, the target could first be emailed by a family member who says they need money, followed by an urgent text. This is a dangerous attack as it heavily exploits, and ultimately damages, trust.

Advertisement. Scroll to continue reading.

Verification is the best way to avoid a pretexting attack. As much as we want to trust managers, friends and family members, if you get an unexpected and urgent call pressuring you to provide information or money, take extra steps to verify the request. Hang up and call back on a known number or have the caller provide some information which they would only know if they were genuine.

• Tailgating allows an attacker to gain access to a building or a restricted area and is easily executed. For instance, a stranger follows you into the office carrying a heavy box and asks if you can “badge” them in. Or, an unknown person scrambles in behind you, saying “brrr it’s cold outside! I’m glad to get out of the rain.” Either could be a tailgater or present a risk. They are relying on the fact that people want to be helpful and that by appearing to be familiar, they are less likely to be questioned.

Want to avoid a tailgating scenario? If someone asks you to let them in, make sure to escort them to reception – or use their badge to activate the door. Do not rely solely on trust.

• Scareware is another successful tactic in recent years, using desktop popups and messages to communicate a fake virus infection warning. Sometimes these messages even appear to be legitimately coming from security companies. Less common, but similar, is to receive the infection message in an email, purporting to come from your internet or security software provider. In both cases, clicking on the message will redirect to a software portal, offering the right software to remove the malware for a cost. At this stage, payment will result in two things: fake antivirus software being installed – or, possibly even malware – and stolen financial information.

Practice caution to avoid scareware. A popup or email stating that you’ve been infected by malware and offering a “click here” fix is likely fake and attempting to scare victims into engaging. Make sure to have the latest antimalware installed, along with the most recent operating system security updates. Never click on unknown popups or emails.

Socially engineered attacks are especially nasty and effective because they rely upon natural human responses to be successful; anyone can be a victim at any time. As both cybercriminals and technology get smarter, the public must also adapt. Educate consumers and employees on the risks and warning signs of these attacks. The idea is to not simply “trust no one;” rather, be cautiously suspicious and train yourself to sniff out the (ph)ishy.

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Artificial Intelligence

The degree of danger that may be introduced when adversaries start to use AI as an effective weapon of attack rather than a tool...