social engineering

The Emotional Lure of Social Engineering

Social engineering can sound quite alluring to some.  The word “social” tends to have a positive connotation as it relates to our personal and professional lives.  Put the word engineering after it and it might remind you to call some of your IT friends and schedule a night out. Unfortunately, social engineering in the cyber world is vastly different.

So, what is social engineering?  It is the art of manipulating others to release confidential information.   Cyber criminals are focusing on the trusting nature of others verses weaknesses in their technology infrastructure.  Especially since their tactics can be so appealing that employees willingly provide passwords or information needed to access their company’s systems.  This is all done without any knowledge that they have just been exploited. It is an art, and educating your employees is vital.

It is important that employees are aware of the types of attacks that are out there.  To take it a step further, they should look at all types of correspondence with a suspicious eye.  Below are some common social engineering attacks, but be aware that hackers are always one step ahead of the game.  One attack today may be surpassed by another tomorrow.

The most common forms of social engineering include spear phishing, baiting, quid pro quo, and email attachments from a so-called friend.

Phishing Schemes

If you are a committed reader of our blogs, you have come across phishing schemes more than a few times.  Phishing is the leading form of social engineering attacks typically delivered in the form of email from a (seemingly) trustworthy source.  Cyber criminals may claim that the end user is the “winner” of a grand prize or may ask for a charitable donation after a nationwide disaster or tragedy takes place (wiring instructions are fully intact).  Regardless, these types of scams vary in their complexity and their attacker’s objectives, with spear phishing and whaling attacks being the more sophisticated forms of phishing.

Spear phishing is a tactical approach that uses an email that appears to come from a business or someone that you know; but in reality, is malicious and seeks to obtain sensitive information (bank account numbers, passwords, financial information, etc.) in a timely manner. Pretexting is similar to spear phishing but instead of focusing on “urgency” it relies on building a false sense of trust with the end user by impersonating a co-worker or employer to gain sensitive information. Additionally, whaling refers to going after a potentially large target – generally Executives or high-level accounting professionals who have the ability to authorize large transactions.

Spoofing uses e-mail sent from spoofed or similar-sounding domain names to make it appear as though these emails were sent from senior executives of a victim’s company. This tactic is often used in conjunction with spear phishing in order to add the appearance of legitimacy.

To avoid these damaging attacks, click here to learn guidelines and general rules to follow to stay protected.

Baiting

Baiting is similar to phishing but it involves enticing the end user with something of interest in exchange for private data. Baiters may offer users free music or movie downloads, if they surrender their personal login credentials.  What better way to pass time at work than with free music, right?

Baiting can also come in physical forms, such as a corporate branded flash drive that is labeled with something directly related to your work or department.  The most documented baiting attack occurred in 2006 and is still relevant today as the USB is still alive and kicking in the workplace.  In this case, USBs were intentionally infected and disbursed in the employee parking lot of their financial employer.  Have you ever heard the term, “curiosity killed the cat?”

Emails Attachments from a “Friend”

If a hacker can break into your email, they can access your contents and send malicious email from someone that you know. Recently there have been some issues regarding potential malicious attachments in email. These malicious emails vary in subject and are usually titled to draw attention (IRS, invoices, billing, etc.). Anything that is asking you to perform additional actions / tasks should be considered more carefully. In today’s world, you should work under the guise that all attachments are hostile until proven otherwise.

One of the most common means by which a computer is compromised is through email attachments. When opened, these attachments can give hackers complete control of your machine and in turn, control over other machines in your environment, servers and networks.

Below are a few guidelines to follow as it relates to email attachments:

  1. Don’t open “surprise attachments” (something that you are not expecting).
  2. If you don’t know the person sending the attachment, don’t open it.
  3. Only open attachments with recognizable file extensions, i.e., excel, word (avoid .exe, .pif, .scr, .docm, .lotterywinner, etc.)
  4. Don’t open attachments to emails that appear incomplete, incoherent, or simply “look wrong.”
  5. Zip and PDF files should be looked at with scrutiny prior to opening as they are key players in transferring malicious content.
  6. If you are unsure of the attachment, don’t open it.

These threats are mitigated by your spam filter, however no spam solution is foolproof. Mail attachments should be treated with a degree of caution. Everyone is fair game no matter how big or small your company is.

Quid Pro Quo

I give you something and you give me something and we are even.  Not so fast. If you are contacted at work and told that you will receive a gift card for $500 if an IT specialist can scan your network if you provide the credentials, it’s too good to be true.   Please note that the most common type of Quid Pro Quo attacks are hackers that impersonate IT people.  There are less sophisticated forms of attack that involved free chocolate and passwords.  This attack may be dated back to 2004, but our love of chocolate remains in all of us, consider this a friendly reminder.

“If I educate my employees, we should be good, right?”

As noted, educating your employees of the latest attacks and what to look out for is extremely important.  However, locking down your networks should not be taken lightly.  It is important to make any form of hacking as difficult as possible.  Working with a reputable Managed Security Provider (MSP) will ensure the following:

  1. Software updates are installed on all computers when released
  2. Network security is managed through anti-virus software and other features that prevent unauthorized access
  3. Managed backup and disaster recovery (BDR) solution is in place
  4. Anti-spam filters are put in place to eliminate certain emails before they even get to your end users

These services are extremely important to the health of your business.  Proper network security minimizes downtime and revenue lost.  To ensure that your network is properly secure, contact The TNS Group today and reduce your risks of a cyberattack.

By:  John Prenderville, Client Services, The TNS Group