In case you’ve never heard of social engineering hacks, they are cyberattacks that prey on individual people. The intent is to get victims to divulge private information or take actions, precisely planned by the attacker, that will lead to a security breach. Social engineering hacks can be as damaging to you personally as they are to your business or website. For example, if your hosting account is infiltrated, attackers can hijack your servers to profit from sending spam, mining crypto or victimizing others, while you pay the bill.
As insidious as that sounds, such “hacks” have less to do the technology side than you might think. In fact, most people simply call such attackers “scammers” because they frequently impersonate people or companies and incite fear or urgency to get what they want. Sound familiar? Maybe you’ve been bombarded with fake support calls supposedly from big companies like Microsoft and Amazon, or threatening calls claiming to be from the IRS, banks or credit card companies. These are all social engineering hacks.
These hacks only work when you let them. Remember, any strange experience you encounter throughout your day could be some scam or attack.
Phishing emails are one of the most common examples. Everyone has seen these; they appear in your inbox as “warning” emails or notices purporting to be from a legitimate company. You’re often prompted to enter your username and password by clicking a link, only to find out they don’t work. That is because the website on the other end of the link is fake; it isn’t possible to log in even if the password is correct. Instead, what has happened is that you’ve given your credentials to a hacker, who then will try to access your account with the exact details you’ve just provided. To make matters worse, the first thing most people do when their password doesn’t work is input other passwords they commonly use, thereby giving a hacker even more data to work with.
Whenever you hear someone say they’ve “been hacked,” it triggers visions of someone wearing a black hoodie sitting in front of a laptop in a dark room late at night, banging away at a keyboard and finding ways into your accounts. But most hacking doesn’t involve fancy keyboard wizardry. It is much easier for attackers to trick you into giving them what they want.
Social engineering hacks are predicated on trust and poor due diligence. If you’ve ever been annoyed by real banks or credit card companies frequently and rigorously verifying your account when you call, you’ve experienced good diligence. The reason these organizations ask you security questions before talking to you about your account is to thwart social engineering hacks.
The infamous John McAfee of McAfee Antivirus once stated that, as a hacker, he used social engineering more than anything else to compromise systems. He said that 75% of the average hacker’s toolkit was social engineering tactics, and the most successful hackers use them 90% of the time. In an interview with Business Insider about how he might hack the Pentagon, McAfee explained, “You want to find the weakest link.” After all, we are all fallible humans and can fall for tricks.
The good news is that your highly firewalled and fortified hosting environments are not the weakest link. Often, the weak link is sloppily written custom software — or the person holding the keys, as in the case of the LastPass hacking debacle. In the LastPass data breach, a DevOps engineer’s home computer was targeted directly, and attackers exploited a vulnerable piece of third-party software — Plex Media Server — that had not been patched. Plex had issued a patch for the bug years earlier, but it was never installed on the victim’s machine. Oops.
You may ask yourself, “If social engineering hacks are so effective, how can I protect myself?” The answer is simple: Trust is earned, not given.
These hacks only work when you let them. Remember, any strange experience you encounter throughout your day could be some scam or attack. It is impossible to learn and know every particular scam there is because they change all the time. Often, these hacks are the same basic scam, just repackaged a little differently.
The best way to spot social engineering attacks and scams is to know how real organizations like banks or credit card companies verify your identity, and what email addresses and website domains should appear in their emails. It isn’t hard to check the “from” email address to see if the domain of the sender’s email is wrong or if the link in the email body goes to some random website rather than to your bank. It may seem counterintuitive, but when Secret Service agents are trained to spot counterfeiting, they focus more on what real money looks like because every counterfeit is different. Ultimately, you can always directly call any company you deal with if you need assurance via email or phone. Most customer service agents are trained to tell you to do this if you’re unsure it is really them calling.
On top of that, the massive acceleration in artificial intelligence is making it even harder to truly know what is fake or real. There is already sophisticated software for making deepfake photos, videos and audio. AI has given hackers new tools to proliferate their attacks worldwide, and nobody is safe from it. Don’t let your guard down.
As I said during my keynote at XBIZ LA in January, it is vital to hold ourselves to a higher standard because we are the adult industry. There is a responsibility to be more vigilant because of the sensitivity of our business niche. Imagine the damaging information to be exploited from a performer’s computer if compromised. Imagine the life-ruining account details and data that could be gleaned from a porn paysite or creator platform’s user database. These attack vectors are severe and frightening, and it is critical to avoid half measures.
Brad Mitchell is the founder of MojoHost, which has served the industry for nearly two decades and has been named XBIZ Web Host of the Year several times. He regularly shares insights as a panelist at trade shows. Contact brad@mojohost.com to learn more about the suite of services his company offers.
