Are you too trusting?
Itโs a question we all need to ask ourselves in the workplace. Because there are cyber criminals out there who are testing us again and again to see if weโll take the bait and swallow their story. If we do, the consequences can be devastating for us personally and for our teams and organisations as a whole.
Weโre talking about social engineering. This is one of the most insidious forms of cyber crime, because it taps into the things that make us human โ trust, intrigue, delight, fear โ and uses them as an invitation to criminal activity.
In this post, weโll look at what social engineering is, the techniques employed by criminals โ and how to fight back.
What Does Social Engineering Mean?
Social engineering in cyber security refers to a number of techniques criminals use to trick people into giving up valuable confidential information. All of these techniques aim to gain a victimโs trust. Once they achieve this trust, criminals uses it to steal money or valuable information. Often, theyโll use social engineering to embark on a ransomware campaign. (Find out more about ransomware prevention in our post.)
Typically, it can play out over a longer period than a simple click-here-and-your-computer-is-infected scam. Criminals may gain the trust of a victim over minutes, hours or even days and months.
Why Do Hackers Use Social Engineering?
Well, hereโs a depressing thing. Compared to secure, firewall-protected systems, human beings are considered the low-hanging fruit of the cyber-criminal world.
Weโre just too trusting and credulous, which makes targeting us a substantial return on investment for the bad guys. This is something that isnโt going away (in one form or another itโs been around as long as human beings), so we all need to remain vigilant.
What are the 4 Types of Social Engineering?
Four of the most common types include:
Email phishing
Typically, a user will receive a fake email from a friend, family member or trusted organisation that requests personal information, access to systems or even money. Authenticity builds trust and these scammers may use email templates that replicate an authentic source.
They may also encourage a victim to submit information to a fake website that replicates a well-known brand. Offshoots of phishing scams include spear phishing โ targeting individuals and companies using personal data about their targets; and whaling, using phishing tactics to target high-level executives.
(Read more about how to spot a phishing email and see some real phishing examples sent to Intersys.)
Example: โHey, Pete. I hate to ask this right now โ Iโm embarrassed to be honest โ but could you deposit ยฃ950 into my account to cover the mortgage? Iโve had some personal issues Iโll go into when we catch up. Deets below.โ
Vishing
Vishing is phishing via voicemail. However, itโs not just about a change of medium โ the tactics tend to be a bit different too. Typically, in vishing scams a victim receives a voicemail by a purported authority such as a bank or government department encouraging them to act quickly or face dire consequences from the law or (irony of irony), scammers.
For instance, the scammer may urge the victim to reset their bank account details by claiming their account has been hacked. The scammer then urges the victim to call a phone number to enter personal information, which can be used to steal money.
Example: โThis is a message from ACME Bank. We have reason to believe your bank account has been compromised by a hostile actor. It is imperative that you call the number below and reset your account to ensure account safety. Failure to do so will result in your being fully responsible for any loss of money.โ
Read our post about vishing cybercrime.
Smishing
You can probably see where weโre going with this โishingโ thing nowโฆ Smishing is SMS phishing, which uses text messages to trick users. Typically, an attacker will ask a user to update account information via a link and send them to a fake website. The account is compromised as soon as the information is inputted.
Example: โIn changes to our policies, all customers must update account passwords monthly. Please click the link to change yours now.โ
Remote access phishing
This particular phishing technique often plays out via a live call. The criminal will pretend to be from a legitimate organisation and ask you to click on a link or download an app. For instance, they may say they need to connect to your computer to cancel a fraudulent transaction on your account. By clicking, the victim gives control of the computer to the criminal, who can begin harvesting information for criminal purposes โ or even transferring money out of your account with your help. This scam can also begin with a pop up saying you have been infected with a virus and asking you to download software.
Example: โHello, weโve just had an alert to suggest thereโs a fraudulent transaction on your account of ยฃ20,000. If we can access your account and clear this up in the next six minutes, we can stop the transaction.โ
Phishing-as-a-service
Finally, more and more criminals are using off-the-shelf โphishing-as-a-serviceโ technologies such as EvilProxy. These create sophisticated replicas of genuine websites to help criminals harvest clicks and log-in details.
How Can I Prevent Social Engineering?
Never divulge information to anyone unless you are 100% sure of their authenticity. Remember โ caller ID and email addresses can be spoofed to appear genuine.
If in doubt, a good rule is to terminate the conversation and contact the person or organisation according to their standard contact details (not via details given to you by someone who has approached you).
On a company-wide level, you should seriously consider training your people in cyber security vigilance, to ensure there are no weak links in your organisation.
Also, watch out for the following four signs that you are on a scammerโs radar:
- Time pressure. Itโs the oldest psychological play in the book because panic makes us irrational. If someone asks you to do something immediately to secure a deal, or to protect yourself from a threat, almost always walk away.
- Baiting. Are you being offered something unbelievable for performing an apparently innocent action? For instance, downloading an attachment for free bitcoin? Focus on the word โunbelievable.โ Donโt believe it.
- Unusual requests. If you are asked by a friend or business to do something they have never asked you to do before โ send money, download a file etc โ be sceptical.
- A clickable link. Think twice before agreeing to any request to click on a link. Only if you are 100% sure of authenticity should you proceed.
Iโd Like to See Some Social Engineering Scammers Get Busted โ for Purely Educational Reasons, of Course
After a post packed with examples of scammers betraying peopleโs good nature, you might like to indulge in a little social (and poetic) justice by discovering that scammers get scammed too. A hugely popular YouTube channel Scammer Payback reels in the bad guys and turns the tables on them โ for instance by locking down their call centres or seizing control of their computers. Is watching these videos an exercise in schadenfreude? Absolutely not โ purely educational! ๐ But, seriously, watching how these criminals operate provides real insights into the kind of approaches and behaviours to look out for.
Finally, for those whoโd like to delve into the subject further of social engineering in cyber security, hereโs a fascinating article about how a man dubbed โthe worldโs most famous hackerโ used social engineering.
If youโve been the victim of social engineering that led to a ransomware threat, find out more about Intersysโ ransomware data recovery services.
Intersys also provides security operation centre services as well as wider cyber security services support for organisations looking for robust, cost-effective cyber security.
You can also sign up to our Cyber Security Monitor newsletter here to receive regular updates on live scams, industry news and security-bolstering advice and tips.