A social engineer’s bag of tricks is filled with techniques that persuade the target to hand over login credentials and other sensitive information. Whereas the traditional hacker uses sophisticated software, social engineering scammers employ psychological tactics. When mother would tell us “don’t talk to strangers” when we were little, she knew what she was talking about. The age old tactic for safety can now be applied in a work setting.
Below are seven social engineering scams your staff should be trained to spot:
The most popular of all social engineering scams, phishing leverages email. A scam artist will send an email that on first glance, looks to be from PayPal or another a legitimate source. The goal of phishing is to convince the recipient to divulge confidential information. Ultimately, this can be used to commit fraud or full-on identity theft.
How to identify pshishing scams?
Requests for sensitive data: Phishing scams attempt to trick recipients into revealing personal or financial data by either requesting it in a message. Often they will direct them to a rogue site where they can enter their data into a form. No legitimate business will ever ask for passwords or usernames via email. Any such requests should immediately raise a red flag.
Suspicious attachments: Some phishing ploys aim to compromise the system via email attachments. These attachments often harbor malicious files that when executed, unload the infection onto your computer. Again, few companies will send unsolicited emails with unexpected files. It’s best to ignore emails with attachments from unknown sources.
Inconsistent URLs: Scammers have become very clever at crafting phishing emails. Sometimes, the only way to spot them is by the URLs that they contain. The link you’re instructed to click may appear genuine. But a quick hover of the mouse over the llink may reveal it leads entirely different domain. Mismatched URLs is almost always a dead giveaway.
Sense of urgency: Phishing scams are infamous for claiming that you’ll suffer some sort of harsh consequence if you don’t act now. This trick is designed to force you to make a rash decision on emotion rather than common sense. Recognize this tactic and you’ll be less likely to fall prey to giving up information.
Not all social engineering attacks are initiated from a computer or mobile device. Also known as piggybacking, tailgating is trying to gain physical access to a business using someone else’s authorized access. The scammer may befriend a group of employees at the picnic table and attempt to follow them back into the building after lunch. Or he could pretend to be an employee who forgot his or her ID badge. Once inside, they can use other forms of manipulation to build trust and get their hands on what they’re after.
More than anything, tailgating relies on human kindness to get from point A to point B. Surely you wouldn’t just let the door slam in someone’s face – even if it is a face on someone you’ve never seen. While it has little to no chance of working in tightly controlled corporate environments, determined tailgaters can find success targeting smaller companies with lax security measures.
3. Planted Media
This next social engineering trick couldn’t appear more innocent. Johnny is strolling through the parking lot and sees a perfectly good USB stick laying on the pavement. He picks it up, heads inside to his cubicle and plugs it into his workstation. Little does Johnny know, he just unloaded a malicious payload for a virus dead set on propagating its way to every networked computer in the office. Sound ridiculous? Maybe – until you get real and admit that you could be Johnny on any given day. Then you’ll realize why this scam has an alarming success rate.
Malware usually has to be manually executed. But all it takes is an alluring filename to pique an employee’s interest and convince them to click away. It’s scary to think just how easily tailgating can be pulled off. IT managers should view it as motivation to place a renewed focus on security training for computer users at all levels.
4. Whale Hunting
Also known as whaling, whale hunting has a lot in common with phishing. The difference is that it specifically goes after company executives and other high-profile targets. Pretending to be a trusted vendor, a hacker may contact an IT manager. He may send a link to where they can update their account details, or view an invoice. Greeted by a professional design and familiar logo, the manager submits his info and unknowingly hands over his confidential data.
With a bigger pot gold at the end of the rainbow, whale hunters have all the reason to put more effort into an effective attack. Hackers get details from Google searches, social media profiles and colleagues. They can design an elaborated attack that is highly targeted, so personalized even the most IT savvy execs are compelled to click. The average suit usually lacks security training, so they are a sitting duck for whaling exploits.
Blackmail is one form of social engineering that often uses a combination of phishing and malware to dupe unsuspecting victims. For example, an employee may receive an email stating that they will incur hefty fines or face legal ramifications if they don’t follow the instructions in the attached document. After opening the attachment, they unknowingly install ransomware that attempts to further blackmail them by threatening to delete their files if they don’t pay the specified ransom amount.
Blackmail is the Freddy Krueger of social engineering, because it relies on fear to thrive. The fear of losing access to mission-critical files or having personal data exposed online is strong. A victim may need to opt for the lesser of two evils and comply with the blackmail demands.
Ransomware has become so effective, that often the only way to safeguard against it is a backup and business continuity solution.
6. Quid Pro Quo
Quid pro quo means “something for something” in Latin, and that is literally how this next social engineering ploy operates. An attacker will promise to give you something seemingly valuable in exchange for valuable information. Posing as an IT support agent, a scam artist may target a company by calling random numbers until reaching an employee who has an actual problem. From there they work the employee for passwords or attempt to convince them to make changes that weaken network defenses while pretending to provide a solution.
What I find interesting about quid pro quo is that it can prove to be a test of security awareness as well as employee integrity. One of the most surprisingly effective attacks in this category sees a con-man pretending to conduct important research for a worthy cause. They might ask an employee to reveal confidential information about their employer in exchange for a couple hundred dollars or the latest iPhone.
7. Reverse Social Engineering
Email is more commonly targeted, but some scammers prefer phone – like those who specialize in reverse social engineering. This trick is labeled as such because the attacker positions themselves to help the potential victim solve a problem. For instance, a shyster might call up a random consumer pretending to be a support agent from an anti-virus software firm or maybe even a big wig like Microsoft. During the call they claim they need remote access to the recipient’s computer in order to investigate a malware infection. With that access, they install scareware, which fuels their phony claim of discovering malware and charging a ridiculous fee to remove it. Pretty elaborate stuff.
Reverse social engineering sort of hits close to home because it nearly victimized my aunt. She was ready to part with hundreds of dollars to remove a supposed virus until she thought to call and ask for my opinion. Smart move, because even she refers to herself as Wilma Flintstone when it comes to computers.
I told her like I’ll tell you … don’t do it! An honest company will never call you to address a malware infection – and getting a real support agent on the phone is rarely ever that easy.
You can lock down your IT systems with state of the art security controls and enforce the tightest security policies. No matter what mechanisms you implement, your infrastructure will always be as vulnerable as the human element. If you fail to make threat awareness and security training an ongoing process, your company could be a victim to one or more of these social engineering scams.