Twitter is still trying to figure out who is behind that high-profile hack.
Tweets were sent out from verified accounts, saying they would send money to anyone who sent cash to a bitcoin address.
Experts say whoever is behind it possibly used "social engineering," sending phishing emails, texts or phone calls to Twitter employees to get gain access.
We detected what we believe to be a coordinated social engineering attack by people who successfully targeted some of our employees with access to internal systems and tools.
— Twitter Support (@TwitterSupport) July 16, 2020
“I can often gain access to an admin panel like the Twitter hack in less than 5 minutes with a social engineering phone call or a phishing email,” said Rachel Tobac, CEO of SocialProof Security.
Tobac is what they call a white hat hacker, a good guy. She trains and tests people on hack tactics through her company SocialProof Security.
Often times, a simple call from someone pretending to be with IT does the trick to convince someone to share information.
“You have to be ‘politely paranoid.’ That's the phrase I like to use. It just means be skeptical,” said Tobac.
“The sophistication of a spear phishing attack these days is very, very complicated and it’s not surprising anybody could fall compromise to it,” said Mark Ostrowski, head of engineering at Check Point Software.
Ostrowski says banking firms have been compromised in these types of attacks.
Phone company employees fall victim to social engineering tactics allowing criminals to gain access to people's numbers and credentials.
The pandemic has created more opportunities for these types of attacks.
“There's no question we're going through a cyber pandemic as we're going through a health care pandemic,” said Ostrowski. “One of the biggest challenges we need to figure out when we all work from home is that source of identity, right, who we are online and how we can be sure that who we are talking to is who we think that they are.”
Ostrowski says companies can take a zero-trust approach, basically giving the least amount of access to the most amount of people to protect information.
Everyone else should use geo-awareness and multi-factor authentication to get into any accounts.