Hacking the Mind | 4 Social Engineering Scams Targeting Your Employees
12 July 2017 00:00
There's a special breed of hackers who can exploit the one vulnerability found in every organisation -- human error. And if humans are the target, then social engineering scams are their favoured weapon of choice.
There's no hiding from the fact that most cyber criminals have sleave full of cunning ways to compromise our sensitive data. Their technical expertise creates new ways to infiltrate a protected computer system, and we hear about their successes in the news on a daily basis. However, there is a special breed of hackers who can exploit the one vulnerability and tool found in every organisation. The weakness? Human error. The Tool? Social engineering.
Using a variety of platforms and technology, including social media and phone calls, these cyber criminals trick people into handing over access to sensitive information.
Social engineering can encompass a wide range of malicious activity, but we'll focus on five of the most common attacks that social engineers use to target their victims.
Employee phishing scams are one of the most common types of social engineering attacks used today. Most phishing scams demonstrate the following characteristics:
- Looking to obtain personal information, such as names, addresses and login credentials.
- Use link shorteners or embed links that redirect users to harmful websites in URLs that appear to be legitimate.
- Uses threats, fear and a sense of urgency in an attempt to manipulate the user into acting urgently.
Not all phishing emails are well crafted. Some are so poorly designed to the extent that their messages often contain major spelling and grammar errors, but these emails are focused on directing victims to a fake website or form where they can steal personal information.
Baiting has many similarities to phishing attacks. The main difference, however, is that baiting promises an item or goods that are used to entice victims. These offers often include free music or movie downloads, but only if they surrender their login credentials to a certain site.
Baiting attacks are not restricted to online schemes. Attackers can also focus on exploiting human curiosity via the use of physical media. Cyber criminals are well known to leave devices such as USB stick, in well-populated areas, such as on company car parks or on a university campus. The curiosity of the human mind often leads people to plug in the USB devices, which can be infected with malware or even keyloggers (One experiment showed that, of 297 purposefully dropped USBs, 290 were picked up).
Another form of social engineering pretexting is where attackers focus on creating a fake scenario, that they use to try and steal their victims’ personal information. These attacks commonly take the form of a hacker who pretends that they need specific bits of information from their victim, in order to confirm their identity.
The more advanced attacks will try to manipulate their targets into performing an action that enables them to exploit the structural weaknesses of an organisation. For instance, an attacker who impersonates an external IT services auditor and manipulates a company’s physical security staff into letting gain access to a building.
Unlike the phishing technique of fear and urgency, pretexting attacks rely on building a false sense of trust with the victim. This requires the attacker to build a credible story that leaves little room for doubt in the target's mind.
Tailgating, otherwise known as “piggybacking", these types of attacks involves following a victim, such as an employee, into an area or building where they are not authorised to be.
A common type of tailgating attack involves a person impersonating a delivery driver, where they wait outside a building. When an employee gains security’s approval and opens their door, the attacker asks that the employee hold the door, thereby gaining access off of someone who is authorised to enter the company.
Thankfully, many offices now require all employees to swipe a card, with the use of barriers such as automatic gates. However, in many SMEs, attackers can spark a conversation with employees and use this show of familiarity to successfully get past the front desk.
HOW TO PROTECT AGAINST SOCIAL ENGINEERING
Cyber criminals who engage in social engineering attacks prey off of human curiosity and psychology in order to compromise their victim's information. With this in mind, it is up to users and employees to counter these types of attacks.
Here are a few tips on how users can avoid social engineering attempts:
- Do not click links on any emails from untrusted sources. Don't let curiosity get the better of you - visiting the site can be damaging enough on its own.
- Do not give offers from strangers the benefit of the doubt. If they seem too good to be true, they often are.
- Lock your laptop whenever you are away from your workstation.
- Purchase anti-virus software. Although this can't defend against every threat, it can help protect against some.