Aug 31, 2021

How remote access users can protect themselves from phishing and other social engineering hacks

  • Connect and support people
  • History shows social engineering “hacks” are much, much older than digital technology threats and typically much more effective as well. Here’s how you protect against such threats in the age of remote access.

    Social engineering is an attempt to exploit a person’s thoughts or feelings to gain access to something of value. In technology, that is often login details, bank account information, or contact information.

    Most people are familiar with the classic example of social engineering: the Trojan Horse of ancient times. History shows social engineering “hacks” are much, much older than digital technology threats and typically much more effective as well. This is even more important to discuss in an era where many devices can be accessed remotely.

    So, while the technology around remote access has layers of security protecting it, there will always be someone in an organization who wants to help a stranger, win a prize in a contest they’ve never heard about, or use the easiest password possible — and never change it.

    Here’s how you can avoid that person opening the virtual door to your office to let the big wooden horse in.

    Phishing, spear phishing, and whaling

    Anyone with an online presence receives dozens of phishing attempts per day. Phishing is an email or other message designed to look as though it’s coming from a legitimate source, like your bank, and it’s successful because of volume: even if only one in 10,000 people fall for it, send out a million emails and you’ve got 100 victims.

    Perhaps a phishing attempt wants you to click on a particular link to “verify your account details.” When you click the link, malware or some other code is loaded onto your device and/or network. These kinds of tricks can also route you to a legitimate-looking web page where you enter your information.

    Spear phishing is the next level. Whereas phishing casts a huge net, spear fishing is an attempt designed for an individual. It may reference something more personal, perhaps something in the public record or something found through a data leak, as an attempt to legitimize the attempt.

    Whaling is spear phishing but targeted toward a high-ranking official in an organization with significant access to sensitive data. You would think such personnel would be on alert for such attempts, but even prominent government officials have compromised their personal email accounts in whaling attacks.

    Protect yourself

    Education is the best way to fight all forms of phishing. Instruct your employees not to click on links or download files from email or SMS messages. Be cautious about sharing personal details on social networks that could be used in spear fishing campaigns. And keep in mind that reputable service providers, including TeamViewer, never ask for passwords or personally identifying information over email.

    Also, the more potential roadblocks you can put up for an attacker, the better. So make sure you are using password best practices, including using different passwords on each site or service and managing them with a trusted password manager. Also, enable TeamViewer’s two-factor authentication for both connections and accounts.

    Pretexting

    Pretexting is when a hacker impersonates someone who should have legitimate access, such as a vendor or technical support. They will reach out — often over the phone because then the target doesn’t have time to verify if the person is authentic — and ask for information that compromises your device or another to which you have access. They may ask if the company uses a remote access tool and whether they can log in.

    You may not think that could work, but pretexters often have enough background information about the organization and who they are attempting to impersonate that a user could be caught off guard.

    Protect yourself

    The first step in denying a pretexting attack is to establish protocols for when and how outside vendors or tech support will reach out to employees. Some organizations even have a code word that the person needs to use before they are trusted. Also, establish a policy that if work is being done by an outside vendor, they must notify the people who could be a pretexting target. That way, if a call comes out of the blue, your employees know to be suspicious.

    Also, with TeamViewer, you can also activate Easy Access, our security feature that allows you to connect to specified devices without a password. Easy Access eliminates the need for passwords altogether in favor of a stronger validation using the person’s TeamViewer account. If someone isn’t logged into the correct TeamViewer account, they aren’t getting in. Find out more about Easy Access in this helpful Community article.

    Baiting

    Baiting involves leaving a physical device, usually a CD or USB thumb drive, loaded with a malicious program or a remote access “backdoor” in a place where an organization’s workers will find it, such as the parking lot or office lobby. The attacker will go to great lengths to get someone to use the bait on their computer, like printing the company’s logo onto the device and/or labeling it with something that piques curiosity like “Employee Salaries 2021.”

    In the age of cloud computing, it may surprise you that baiting works. The University of Illinois conducted a study in 2016, where researchers left USB drives all around the campus. 98 percent of the drives were picked up, and nearly half of them were plugged into computers and allowed to “call home.”1

    You think baiting may be outdated, but attackers are just trying harder, like this case last year where the USB drive came with a (fake) $50 gift card.2

    1. https://www.infosecurity-magazine.com/blogs/bhusa-dropped-usb-experiement
    2. https://portswigger.net/daily-swig/usb-phishing-attack-baits-victims-with-50-gift-card

    Protect yourself

    The primary defense against baiting is, once again, education. Instruct workers not to plug strange devices into their computers. You can also implement a policy that USB drives are not to be used for file transfers, or you can simply take away the ability to use the USB port or CD drive on any computer the company provides, using administrator tools or endpoint protection software.

    Also, one of TeamViewer’s most popular functions is file transfer. You can move files between devices without having to rely on a USB drive, perhaps making it easier for your organization to transition away from them.

    You may think socially engineered attacks only happen to companies that deal with money or sensitive information. Every organization has value to a hacker, even if it’s just to access more email addresses to use in their phishing campaign.

    Social engineering works because it preys on human nature itself. Everyone experiences times of curiosity, excitement, or wanting to help another person, so their guard goes down (just like the Trojans). So, what can you do to prevent being the next victim of social engineering? Always err on the side of caution. Keep in mind that if you feel an emotional reaction to an information exchange — online or off — you should consider if the interaction is part of a social engineering plot.

    Have you encountered social engineering threats in your environment? share your stories and tips in our community.