Social Hacks Take Advantage of Human Behavior to Open Organizations Up to Risk

December 22, 2020

Social hacks offer one example of an attack that takes advantage of human negligence. A social hack can be defined as an attempt to manipulate human behavior through specific, orchestrated actions to gain access to restricted information or systems without permission. It’s reported that roughly 84% of hackers use some sort of social engineering in their attacks. If a social hack is well coordinated, it can be difficult to detect before sensitive information or assets are accessed or stolen.

Because many individuals and organizations often believe cybersecurity is only an issue that affects larger companies, they get complacent. This opens them and their organizations up to social hacks. In fact, a recent conversation I had with a colleague led me to reflect on the fact that even the experts themselves can become complacent when it comes to cybersecurity, and the end results can be dire.

Even Security Professionals Make Mistakes

My colleague, David, was telling me about how he recently received an email from his 401k vendor requesting his signature to transfer money from his retirement fund. Confused, David contacted his broker, who informed him that the firm had received an email from David just the day before requesting to withdraw over $100,000 from his account. The broker quickly escalated the issue to their internal security team to investigate. The next day, the broker said he received another similar email from David’s work email address.

David realized his email had been accessed and he was close to becoming the victim of devastating theft. After enabling text notifications, he saw that a hacker was attempting to log into his email from South Africa between 4 to 5 times a day. Fortunately, he caught the attack in time to prevent any further break-ins.

How did they get his login credentials? David had no idea, but he knew he tended to use the same password for multiple accounts. He came away from the experience knowing he had to revisit basic security best practices.

During our conversation, David recalled how this incident reminded him of the importance of not resting on his security laurels at home or at work. Imagine a similar social hack occurred in a professional setting. A simple email hack could grant cybercriminals access to sensitive datasets and login credentials for other systems within the organization. From there, hackers could easily manipulate the mainframe code at the operating system level to steal sensitive data, and the consequences of that would be debilitating for a business.

Fight Complacency with Security Best Practices

At the end of our conversation, David and I talked through some of the best ways for individuals and businesses to protect themselves from social hacks. We discussed how it’s key to follow industry best practices, including using a password manager to ensure unique, hard-to-guess passwords for all accounts, and always enabling two-factor authentication when available.

In addition, for a business, improving internal processes can help mitigate these dangers as well. It’s important to examine internal systems so individuals don’t have excessive access to datasets that aren’t essential for their jobs. Internal developers who needed access to sensitive data to build an app might still have access long after the work is complete, or external contractors could still have internal credentials after they’ve finished working with an organization. Set up a process to check for these issues on a regular basis.

It’s also critical to implement standards for flagging vulnerabilities or threats, whether real or potential, to ensure transparency so any employee, regardless of their level of authority, is taken seriously when raising the alarm about a possible threat. These concrete steps will establish a culture of cybersecurity awareness and alertness in your organization so that your business is safer, and therefore so are the individuals you employ and the customers you serve.

If you take anything away from the conversation I had with my colleague David, it should be that it’s critical for individuals and organizations alike, regardless of security expertise or size, to follow security best practices, as it’s the only way to ensure the highest security standards.