Are you too trusting?
It’s a question we all need to ask ourselves in the workplace. Because there are cyber criminals out there who are testing us again and again to see if we’ll take the bait and swallow their story. If we do, the consequences can be devastating for us personally and for our teams and organisations as a whole.
We’re talking about social engineering. This is one of the most insidious forms of cyber crime, because it taps into the things that make us human – trust, intrigue, delight, fear – and uses them as an invitation to criminal activity.
In this post, we’ll look at what social engineering is, the techniques employed by criminals – and how to fight back.
What Does Social Engineering Mean?
Social engineering in cyber security refers to a number of techniques criminals use to trick people into giving up valuable confidential information. All of these techniques aim to gain a victim’s trust. Once they achieve this trust, criminals uses it to steal money or valuable information. Often, they’ll use social engineering to embark on a ransomware campaign. (Find out more about ransomware prevention in our post.)
Typically, it can play out over a longer period than a simple click-here-and-your-computer-is-infected scam. Criminals may gain the trust of a victim over minutes, hours or even days and months.
Why Do Hackers Use Social Engineering?
Well, here’s a depressing thing. Compared to secure, firewall-protected systems, human beings are considered the low-hanging fruit of the cyber-criminal world.
We’re just too trusting and credulous, which makes targeting us a substantial return on investment for the bad guys. This is something that isn’t going away (in one form or another it’s been around as long as human beings), so we all need to remain vigilant.
What are the 4 Types of Social Engineering?
Four of the most common types include:
Email phishing
Typically, a user will receive a fake email from a friend, family member or trusted organisation that requests personal information, access to systems or even money. Authenticity builds trust and these scammers may use email templates that replicate an authentic source.
They may also encourage a victim to submit information to a fake website that replicates a well-known brand. Offshoots of phishing scams include spear phishing – targeting individuals and companies using personal data about their targets; and whaling, using phishing tactics to target high-level executives.
(Read more about how to spot a phishing email and see some real phishing examples sent to Intersys.)
Example: ‘Hey, Pete. I hate to ask this right now – I’m embarrassed to be honest – but could you deposit £950 into my account to cover the mortgage? I’ve had some personal issues I’ll go into when we catch up. Deets below.’
Vishing
Vishing is phishing via voicemail. However, it’s not just about a change of medium – the tactics tend to be a bit different too. Typically, in vishing scams a victim receives a voicemail by a purported authority such as a bank or government department encouraging them to act quickly or face dire consequences from the law or (irony of irony), scammers.
For instance, the scammer may urge the victim to reset their bank account details by claiming their account has been hacked. The scammer then urges the victim to call a phone number to enter personal information, which can be used to steal money.
Example: ‘This is a message from ACME Bank. We have reason to believe your bank account has been compromised by a hostile actor. It is imperative that you call the number below and reset your account to ensure account safety. Failure to do so will result in your being fully responsible for any loss of money.’
Read our post about vishing cybercrime.
Smishing
You can probably see where we’re going with this ‘ishing’ thing now… Smishing is SMS phishing, which uses text messages to trick users. Typically, an attacker will ask a user to update account information via a link and send them to a fake website. The account is compromised as soon as the information is inputted.
Example: ‘In changes to our policies, all customers must update account passwords monthly. Please click the link to change yours now.’
Remote access phishing
This particular phishing technique often plays out via a live call. The criminal will pretend to be from a legitimate organisation and ask you to click on a link or download an app. For instance, they may say they need to connect to your computer to cancel a fraudulent transaction on your account. By clicking, the victim gives control of the computer to the criminal, who can begin harvesting information for criminal purposes – or even transferring money out of your account with your help. This scam can also begin with a pop up saying you have been infected with a virus and asking you to download software.
Example: ‘Hello, we’ve just had an alert to suggest there’s a fraudulent transaction on your account of £20,000. If we can access your account and clear this up in the next six minutes, we can stop the transaction.’
Phishing-as-a-service
Finally, more and more criminals are using off-the-shelf ‘phishing-as-a-service’ technologies such as EvilProxy. These create sophisticated replicas of genuine websites to help criminals harvest clicks and log-in details.
How Can I Prevent Social Engineering?
Never divulge information to anyone unless you are 100% sure of their authenticity. Remember – caller ID and email addresses can be spoofed to appear genuine.
If in doubt, a good rule is to terminate the conversation and contact the person or organisation according to their standard contact details (not via details given to you by someone who has approached you).
On a company-wide level, you should seriously consider training your people in cyber security vigilance, to ensure there are no weak links in your organisation.
Also, watch out for the following four signs that you are on a scammer’s radar:
- Time pressure. It’s the oldest psychological play in the book because panic makes us irrational. If someone asks you to do something immediately to secure a deal, or to protect yourself from a threat, almost always walk away.
- Baiting. Are you being offered something unbelievable for performing an apparently innocent action? For instance, downloading an attachment for free bitcoin? Focus on the word ‘unbelievable.’ Don’t believe it.
- Unusual requests. If you are asked by a friend or business to do something they have never asked you to do before – send money, download a file etc – be sceptical.
- A clickable link. Think twice before agreeing to any request to click on a link. Only if you are 100% sure of authenticity should you proceed.
I’d Like to See Some Social Engineering Scammers Get Busted – for Purely Educational Reasons, of Course
After a post packed with examples of scammers betraying people’s good nature, you might like to indulge in a little social (and poetic) justice by discovering that scammers get scammed too. A hugely popular YouTube channel Scammer Payback reels in the bad guys and turns the tables on them – for instance by locking down their call centres or seizing control of their computers. Is watching these videos an exercise in schadenfreude? Absolutely not – purely educational! 🙂 But, seriously, watching how these criminals operate provides real insights into the kind of approaches and behaviours to look out for.
Finally, for those who’d like to delve into the subject further of social engineering in cyber security, here’s a fascinating article about how a man dubbed ‘the world’s most famous hacker’ used social engineering.
If you’ve been the victim of social engineering that led to a ransomware threat, find out more about Intersys’ ransomware data recovery services.
Intersys also provides security operation centre services as well as wider cyber security services support for organisations looking for robust, cost-effective cyber security.
You can also sign up to our Cyber Security Monitor newsletter here to receive regular updates on live scams, industry news and security-bolstering advice and tips.