Get in touch
408-366-8880
mymail@mailservice.com
Social Engineering Fraud – A Resource for Employers
Social engineering is a form of fraud that engages psychological manipulation to trick individuals into handing over sensitive information, including addresses, social security numbers, and more. This type of manipulation can target people at home or work.
Social engineering can be especially dangerous due to the fact that it relies on human error vs. operating system, network, and software vulnerabilities. This means that the predictability of mistakes is much more difficult to gauge, making them difficult to uncover when compared to malware and software-related cyber attacks.
The Social Engineering Life Cycle
Social engineering can occur in one or more steps. Typically, preparation, hooking, being in play, and exiting are the steps utilized in the social engineering life cycle.
1. Preparation
Typically, the attacker prepares for the attack by identifying victims, gathering background information, and identifying the best methods for attack. They’ll look for weak security protocols and the best point of entry to make their move.
2. Hooking
Next, perpetrators make an effort to deceive the victim and hook them in through different methods. They might engage the target by sharing a believable story, for example, to take control of the interaction. Essentially, they are providing necessary stimuli to gain the trust of the victim, encouraging the victim to break security protocols and standard practices.
3. In Play
Once the victim is hooked, the attackers will try to obtain sensitive information over time to execute an attack, siphon information, and disrupt business operations.
4. Exit Strategy
The goal is for the attackers to exit the interaction without causing suspicion. To do so, they’ll attempt to bring the interaction to a natural close, remove malware, and cover their tracks in as many ways as possible.
Types of Social Engineering
There are several malicious activities that fall under social engineering. These activities can occur anywhere human interaction exists.
The five most common forms of online social engineering are:
• Baiting
• Phishing
• Pretexting
• Scareware
• Spear phishing
Baiting
Baiting, as the name implies, applies false promises that engage the victim’s curiosity. The bait lures people into a scheme that allows the attacker to steal personal information.
Baiting scams can be carried out online and in the physical world. Online, enticing ads and badges prompt people to click on them, taking them to malicious sites and encouraging them to download malware-infected software applications.
In the physical world, baiting most commonly involves the perpetrator using physical media to execute malware. The attacker, for example, might leave a malware-infected flash drive in areas where possible victims can see them—areas like elevators, parking garages, and bathrooms are commonly used. The flash drive will look legit, with a common logo or label on it indicating what it’s for, for example. Unfortunately, out of curiosity, individuals will pick up the drive and insert it into their computers, unknowingly allowing malware installation to automatically occur.
Phishing
Phishing is one of the most popular and commonly used social engineering tactics. They involve text messages and emails that prompt a sense of fear, curiosity, or urgency for a person to take action. As a result, the individual often ends up providing sensitive information, opening harmful attachments, or clicking on links that lead to malicious web pages.
Oftentimes, phishing schemes look very much like a legit email or website from a reputable organization. For example, an email might be sent to users of an online payment platform alerting them to a policy violation or concern about fraudulent activity. The notification prompts the user to change their password for security purposes and takes them to a legitimate-looking site to do so. When the information is entered and submitted, it goes to the phishing attacker vs. the legitimate company.
Fortunately, since the same phishing emails and texts are often sent to a mass audience, it makes it easier for mail servers to catch them when threat-sharing platforms are utilized.
Pretexting
Pretexting allows a perpetrator to gather all kinds of sensitive information, from social security numbers, phone records, and personal addresses to bank account information, employee vacation dates, and family member information. Oftentimes, the scam is enacted by a person that pretends to require sensitive information to perform a vital task for the victim.
With pretexting, attackers tend to craft a series of lies to obtain the referenced types of information. To establish trust, the perpetrator generally impersonates a person with which the victim has a business relationship, such as bank officials or an IRS representative.
Deception Software
Deception software also referred to as scareware, fraud ware, and rogue scanner software, sends an intended victim several fictitious threats hoping they’ll believe their system is infected with malware. The threat will include the option for the victim to download software to fix the issue, which, in reality, is likely malware or software that only benefits the perpetrator.
Deception software is used in spam emails and on websites as popup banners. “Your computer is infected with malware.” or “Your computer may be infected with spyware.” are common text messages on the popup banners aiming to get you to click on them.
Spear Phishing
Spear phishing is essentially the same as the phishing scams mentioned above but with a more targeted focus. With spear phishing, the perpetrator selects a specific entity or individuals to target. Messages are developed based on the specific details of the targets, so the attacks are less likely to be identified as attacks. Spear phishing may take several weeks or even months to pull off given the level of effort it requires. These scams are more difficult to detect and often have higher success rates compared to other forms of software engineering.
A spear-phishing scenario might involve a scammer who impersonates an organization’s CFO, CEO, or other executives. As such, they send out an email to specific employees that are worded as if it came from the executive, making it appear as if it is an authentic message. The message might indicate a security breach in the department’s accounting software, prompting recipients to update their password through a provided link that actually takes the recipient to a malicious page that captures the individual’s credentials, now placing it in the hands of the scammer.
Protecting Against & Preventing Social Engineering Attacks
To help your employees remain vigilant and avoid social engineer attacks, it’s vital to educate them and send reminders regularly on how they can protect themselves and the company. Here are some reminders to share with your employees during regular staff meetings, on the company website, and through regular email communications.
1. Remain alert and cognizant of emotional responses. Social engineering perpetrators rely on the manipulation of human feelings to lure victims into their schemes. Fear, concern, curiosity, and urgency are often prompted. Therefore, encourage employees to take note of any time they feel emotionally triggered or invoked by a text message, email, online ad, or phone call and use caution before taking action.
2. Do not open attachments or emails from unfamiliar sources. Remind your employees that if they don’t recognize the sender of a communication, they should not open or respond to the message. Or, even if they do recognize who the communication supposedly came from, but it seems suspicious, they should check with IT before taking any action, since there’s the possibility that the email address was spoofed. Oftentimes, emails from scammers will have misspelled words and language that is uncommon for the supposed sender, giving the receiver pause and reason to check with the IT department on whether the communication is a spoof or not.
3. Use multifactor authentication. With the increase in cyber attacks and the desire for attackers to acquire a user’s credentials, more and more organizations and individuals are turning to multifactor authentication. Using multifactor authentication helps protect accounts and user credentials. Imperva Login Protect, WatchGuard, and Duo are all examples of multifactor authentication tools to increase security.
4. Be wary of offers that seem too good to be true. It’s a good idea to remind your employees that if an offer seems too good to be true, it most likely is. Individuals should use caution and conduct research when they’re enticed by offers. Simply conducting an online search for a specific topic can generally help you quickly determine if an offer is a spoof or legit.
5. Ensure employees regularly update their antivirus and antimalware software. It’s best to engage automatic updates for employees’ computers. As a company, you should be scanning systems for possible attacks and infections and check periodically to ensure employees have the most recent updates installed.
6. Purchase cyber insurance. Cyber attacks can cost companies thousands of dollars, making it necessary for businesses to purchase cyber security insurance to mitigate risks. There are various policies available that cover the many different types of cyber attacks an entity might face, including social engineering.
Since COVID, social engineering attacks have become more common and severe. Given the high cost associated with such attacks, it’s imperative that enterprises protect themselves and their employees as much as possible. Regularly sharing and implementing the tips above is a great step toward preventing social engineering. To take preventative measures a step further, KBI can design a strong cyber incident response plan for your organization and help you find the right cybersecurity insurance to make sure you are covered. For more information contact KBI.
Services
We believe in 100% employee satisfaction
Latest Thinking
