opinion

Beware of Social Engineering Hacks

Beware of Social Engineering Hacks

In case you’ve never heard of social engineering hacks, they are cyberattacks that prey on individual people. The intent is to get victims to divulge private information or take actions, precisely planned by the attacker, that will lead to a security breach. Social engineering hacks can be as damaging to you personally as they are to your business or website. For example, if your hosting account is infiltrated, attackers can hijack your servers to profit from sending spam, mining crypto or victimizing others, while you pay the bill.

As insidious as that sounds, such “hacks” have less to do the technology side than you might think. In fact, most people simply call such attackers “scammers” because they frequently impersonate people or companies and incite fear or urgency to get what they want. Sound familiar? Maybe you’ve been bombarded with fake support calls supposedly from big companies like Microsoft and Amazon, or threatening calls claiming to be from the IRS, banks or credit card companies. These are all social engineering hacks.

These hacks only work when you let them. Remember, any strange experience you encounter throughout your day could be some scam or attack.

Phishing emails are one of the most common examples. Everyone has seen these; they appear in your inbox as “warning” emails or notices purporting to be from a legitimate company. You’re often prompted to enter your username and password by clicking a link, only to find out they don’t work. That is because the website on the other end of the link is fake; it isn’t possible to log in even if the password is correct. Instead, what has happened is that you’ve given your credentials to a hacker, who then will try to access your account with the exact details you’ve just provided. To make matters worse, the first thing most people do when their password doesn’t work is input other passwords they commonly use, thereby giving a hacker even more data to work with.

Whenever you hear someone say they’ve “been hacked,” it triggers visions of someone wearing a black hoodie sitting in front of a laptop in a dark room late at night, banging away at a keyboard and finding ways into your accounts. But most hacking doesn’t involve fancy keyboard wizardry. It is much easier for attackers to trick you into giving them what they want.

Social engineering hacks are predicated on trust and poor due diligence. If you’ve ever been annoyed by real banks or credit card companies frequently and rigorously verifying your account when you call, you’ve experienced good diligence. The reason these organizations ask you security questions before talking to you about your account is to thwart social engineering hacks.

The infamous John McAfee of McAfee Antivirus once stated that, as a hacker, he used social engineering more than anything else to compromise systems. He said that 75% of the average hacker’s toolkit was social engineering tactics, and the most successful hackers use them 90% of the time. In an interview with Business Insider about how he might hack the Pentagon, McAfee explained, “You want to find the weakest link.” After all, we are all fallible humans and can fall for tricks.

The good news is that your highly firewalled and fortified hosting environments are not the weakest link. Often, the weak link is sloppily written custom software — or the person holding the keys, as in the case of the LastPass hacking debacle. In the LastPass data breach, a DevOps engineer’s home computer was targeted directly, and attackers exploited a vulnerable piece of third-party software — Plex Media Server — that had not been patched. Plex had issued a patch for the bug years earlier, but it was never installed on the victim’s machine. Oops.

You may ask yourself, “If social engineering hacks are so effective, how can I protect myself?” The answer is simple: Trust is earned, not given.

These hacks only work when you let them. Remember, any strange experience you encounter throughout your day could be some scam or attack. It is impossible to learn and know every particular scam there is because they change all the time. Often, these hacks are the same basic scam, just repackaged a little differently.

The best way to spot social engineering attacks and scams is to know how real organizations like banks or credit card companies verify your identity, and what email addresses and website domains should appear in their emails. It isn’t hard to check the “from” email address to see if the domain of the sender’s email is wrong or if the link in the email body goes to some random website rather than to your bank. It may seem counterintuitive, but when Secret Service agents are trained to spot counterfeiting, they focus more on what real money looks like because every counterfeit is different. Ultimately, you can always directly call any company you deal with if you need assurance via email or phone. Most customer service agents are trained to tell you to do this if you’re unsure it is really them calling.

On top of that, the massive acceleration in artificial intelligence is making it even harder to truly know what is fake or real. There is already sophisticated software for making deepfake photos, videos and audio. AI has given hackers new tools to proliferate their attacks worldwide, and nobody is safe from it. Don’t let your guard down.

As I said during my keynote at XBIZ LA in January, it is vital to hold ourselves to a higher standard because we are the adult industry. There is a responsibility to be more vigilant because of the sensitivity of our business niche. Imagine the damaging information to be exploited from a performer’s computer if compromised. Imagine the life-ruining account details and data that could be gleaned from a porn paysite or creator platform’s user database. These attack vectors are severe and frightening, and it is critical to avoid half measures.

Brad Mitchell is the founder of MojoHost, which has served the industry for nearly two decades and has been named XBIZ Web Host of the Year several times. He regularly shares insights as a panelist at trade shows. Contact brad@mojohost.com to learn more about the suite of services his company offers.

Related:  

Copyright © 2024 Adnet Media. All Rights Reserved. XBIZ is a trademark of Adnet Media.
Reproduction in whole or in part in any form or medium without express written permission is prohibited.

More Articles

opinion

Best Practices for Payment Gateway Security

Securing digital payment transactions is critical for all businesses, but especially those in high-risk industries. Payment gateways are a core component of the digital payment ecosystem, and therefore must follow best practices to keep customer data safe.

Jonathan Corona ·
opinion

Ready for New Visa Acquirer Changes?

Next spring, Visa will roll out the U.S. version of its new Visa Acquirer Monitoring Program (VAMP), which goes into effect April 1, 2025. This follows Visa Europe, which rolled out VAMP back in June. VAMP charts a new path for acquirers to manage fraud and chargeback ratios.

Cathy Beardsley ·
opinion

How to Halt Hackers as Fraud Attacks Rise

For hackers, it’s often a game of trial and error. Bad actors will perform enumeration and account testing, repeating the same test on a system to look for vulnerabilities — and if you are not equipped with the proper tools, your merchant account could be the next target.

Cathy Beardsley ·
profile

VerifyMy Seeks to Provide Frictionless Online Safety, Compliance Solutions

Before founding VerifyMy, Ryan Shaw was simply looking for an age verification solution for his previous business. The ones he found, however, were too expensive, too difficult to integrate with, or failed to take into account the needs of either the businesses implementing them or the end users who would be required to interact with them.

Alejandro Freixes ·
opinion

How Adult Website Operators Can Cash in on the 'Interchange' Class Action

The Payment Card Interchange Fee Settlement resulted from a landmark antitrust lawsuit involving Visa, Mastercard and several major banks. The case centered around the interchange fees charged to merchants for processing credit and debit card transactions. These fees are set by card networks and are paid by merchants to the banks that issue the cards.

Jonathan Corona ·
opinion

It's Time to Rock the Vote and Make Your Voice Heard

When I worked to defeat California’s Proposition 60 in 2016, our opposition campaign was outspent nearly 10 to 1. Nevertheless, our community came together and garnered enough support and awareness to defeat that harmful, misguided piece of proposed legislation — by more than a million votes.

Siouxsie Q ·
opinion

Staying Compliant to Avoid the Takedown Shakedown

Dealing with complaints is an everyday part of doing business — and a crucial one, since not dealing with them properly can haunt your business in multiple ways. Card brand regulations require every merchant doing business online to have in place a complaint process for reporting content that may be illegal or that violates the card brand rules.

Cathy Beardsley ·
profile

WIA Profile: Patricia Ucros

Born in Bogota, Colombia, Ucros graduated from college with a degree in education. She spent three years teaching third grade, which she enjoyed a lot, before heeding her father’s advice and moving to South Florida.

Women In Adult ·
opinion

Creating Payment Redundancies to Maximize Payout Uptime

During the global CrowdStrike outage that took place toward the end of July, a flawed software update brought air travel and electronic commerce to a grinding halt worldwide. This dramatically underscores the importance of having a backup plan in place for critical infrastructure.

Jonathan Corona ·
opinion

The Need for Minimal Friction in Age Verification Technology

In the adult sector, robust age assurance, comprised of age verification and age estimation methods, is critical to ensuring legal compliance with ever-evolving regulations, safeguarding minors from inappropriate content and protecting the privacy of adults wishing to view adult content.

Gavin Worrall ·
Show More