Social Engineering is the use of deception to manipulate others into releasing confidential information. Cybercriminals are preying on the weaknesses of human nature, rather than actively trying to penetrate your network. Phishing is one of the most common form of social engineering and attacks are becoming more complex everyday. It’s important to keep yourself and your team aware of the signs.
Spear phishing is a scam and you are the target. It is an email that appears to come from a business or someone that you know, but in reality, it is malicious in form and seeks to obtain sensitive information (bank account numbers, passwords, financial information, etc.). In order to appear legitimate, the hacker will try to learn as much about you as they can, to prey on your emotions. They will examine your social profiles and search your name on Google until they’ve found every last piece of information about you on the internet.
Once the spear phisher has this information – they are ready to go! The next email to you will probably use your first name, reference a “mutual friend,” how great you looked on vacation, and congratulate you on finishing first in your age group in the local 5K.
Whaling attacks have been identified by hackers as the “golden goose.” These emails target executive level employees, like CEOs or accounting professionals, who have the ability to authorize transactions. Along with that, not every executive is a target. Victims are selected based on their access level within the company.
Whaling emails typically include the victim’s name, job titles, and some kind of content that appears legitimate. On top of that, whaling emails tend to be more difficult to detect because they don’t have hyperlinks or malicious attachments. They rely on tactics that depend on human interaction to trap their targets.
When it comes to CEO fraud the victims are lower level employees and the cybercriminal is posing as an Executive. In order to do this, the hacker has to figure out the internal relationship between the victim and the executive that appears to be emailing them. For example, an executive assistant receives an email from his or her “CEO” telling them to make a large purchase, when it isn’t actually their boss.
Clone phishing occurs when the hacker alters a message the victim has already received by creating a malicious virtual replica of it. Any attachments within the original email are swapped out for malicious ones. In most cases, the contents of the email will explain that it needed to be re-sent because of an issue with links or attachments enclosed. This entices end users to open and click and unfortunately, it works.
Other Kinds of Phishing
Wi-Fi – Evil Twin
Evil Twin phishing capitalizes on Wi-Fi networks. This kind of phishing occurs when the phisher creates a “rogue” access point that is posing as legitimate, in an effort to gain sensitive personal information from end users without them even knowing. Access like this allows the hacker to eavesdrop on the victim’s network traffic to steal their account names and passwords. They can also view any attachments the user looks at while on the compromised network. This type of attack frequently occurs in places where public Wi-Fi is heavily used.
SMS – Smishing
As technology evolves, so does phishing. There’s no denying that most people spend a vast majority of time looking at their phones. You must be aware of is SMS phishing, or smishing. If you ever receive a text from a verified corporation like Taco Bell or Ticketmaster, delete it. Cybercriminals will try to lure end users into downloading malicious playloads by sending texts that contain bad URLs for them to click on. This could appear as a promotional offer or coupon code. When in doubt of a texts identity, don’t respond.
October is cybersecurity month and there’s no better time than now to protect yourself from Social Engineering. Contact The TNS Group today for more help.