Social Engineering is the use of deception to manipulate others into releasing confidential and personal information. This personal information can include anything from credit card numbers to email addresses to personal details about a banking account like your username and password. Cybercriminals are preying on the weaknesses of human nature, rather than actively trying to penetrate your network.
This kind of attack doesn’t require any sort of technical skill. It’s based on emotional manipulation. There are also multiple forms of this kind of attack and they're developing everyday.
Phishing is one of the most common forms of social engineering and attacks are becoming more complex everyday. It’s important to keep yourself and your team aware of the signs.
Email Attacks
Spear Phishing
Spear phishing is a scam and you are the target. It is an email, or phishing message, that appears to come from a business or someone that you know, but in reality, it is malicious in form and seeks to obtain sensitive information (bank account numbers, passwords, financial information, etc.).
In order to appear legitimate, the hacker will try to learn as much about you as they can, to prey on your emotions. They will examine your social profiles and search your name on Google until they’ve found every last piece of information about you on the internet.
Once the spear phisher has this information – they are ready to go! The next email to you will probably use your first name, reference a “mutual friend,” how great you looked on vacation, and congratulate you on finishing first in your age group in the local 5K.
Whaling
Whaling attacks is a type of phishing attack that has been identified by hackers as the “golden goose.” These emails target executive level employees, like CEOs or accounting professionals, who have the ability to authorize transactions. Along with that, not every executive is a target. Victims are selected based on their access level within the company.
Whaling emails are phishing emails that typically include the victim’s name, job titles, and some kind of content that appears legitimate. On top of that, whaling emails tend to be more difficult to detect because they don’t have hyperlinks or malicious attachments. They rely on tactics that depend on human interaction to trap their targets.
CEO Fraud
When it comes to CEO fraud the victims are lower level employees and the cybercriminal is posing as an Executive. In order to do this, the hacker has to figure out the internal relationship between the victim and the executive that appears to be emailing them. For example, an executive assistant receives an email from his or her “CEO” telling them to make a large purchase, when it isn’t actually their boss.
Clone Phishing
Clone phishing occurs when the hacker alters a message the victim has already received by creating a malicious virtual replica of it. Any attachments within the original email are swapped out for malicious ones. In most cases, the contents of the email will explain that it needed to be re-sent because of an issue with links or attachments enclosed. This entices end users to open or click on a link, and unfortunately, it works.
Other Kinds of Phishing
Wi-Fi – Evil Twin
Evil Twin phishing capitalizes on Wi-Fi networks. This kind of phishing occurs when the phisher creates a “rogue” access point that is posing as legitimate, in an effort to gain sensitive personal information from end users without them even knowing.
Access like this allows the hacker to eavesdrop on the victim’s network traffic to steal their account names and passwords. They can also view any attachments the user looks at while on the compromised network. This type of attack frequently occurs in places where public Wi-Fi is heavily used.
SMS – Smishing
As technology evolves, so do phishing attempts. There’s no denying that most people spend a vast majority of time looking at their phones. You must be aware of is SMS phishing, or smishing. If you ever receive a text from a verified corporation like Taco Bell or Ticketmaster, delete it.
Cybercriminals will try to lure end users into downloading malicious playloads by sending texts that contain bad URLs or fake websites for them to click on. This could appear as a promotional offer or coupon code. When in doubt of a text message’s identity, don’t respond.
What you can do
One of the greatest ways to avoid falling victim to a social engineering attack is education and common sense. There are a lot of signs of these attacks. An example is an incorrect or misspelled email. Additionally, if there is incorrect grammar or bad spelling within the email is most likely fake.
One solution that can help keep your team on their toes is Security Awareness Training. This kind of solution educates your team by sending them fake phishing emails. If an employee winds up clicking a link or downloading a malicious document they will be notified. Not only will they be shown an educational landing page. Additionally, they will continue to be phish tested until they no longer fall for the attacks.
October is cybersecurity month and there’s no better time than now to protect yourself from Social Engineering. Contact The TNS Group today for more help.
Categories: Managed Service Provider, MSP Blogs
