In our recent articles, we have covered a few ways that cyber criminals attack companies and businesses. Covering ransomware, phishing emails and LinkedIn, we have also discussed HMRC tax scams and password manager tools. This week is talking about social engineering attacks to watch out for, and how you can spot them.
Have you heard of Social Engineering?
Social engineering attacks can take many forms, but all have the same end goal: gathering information about you. Attackers use social engineering tactics to divulge as much information about the target to allow them to make further attacks believable. This could be via scam calls with the intention to trick you into handing over information or money. Many phishing attempts are tailored with the information gathered to make them more believable.
Good breakdown of what social engineering is:
it’s the art of manipulating someone to divulge sensitive or confidential information, usually, through digital communication, that can be used for fraudulent purposes.
Would you know of any Social Engineering Attacks?
You’ve probably heard and discussed a social engineering attack without being aware of it. Celebrities getting their social media accounts hacked is particularly common. Because of the reach they possess, it can also be quite dangerous. When cyber criminals gain access to high profile social media accounts, they can convince followers to send them personal details to win competitions or send Bitcoin, for example.
Aura described the four phases of a social engineering attack as:
1. Discovery and Investigation
2. Deception and Hook
3. Attack
4. Retreat
The different types of Social Engineering Attacks
There are plenty of types of social engineering attacks. Not just through emails (phishing), but also phone calls (vishing), SMS (smishing), and social engineering attack can even be in person (using typical social cues like pretending to be a delivery driver to gain access.)
Social Media Phishing
At the highest level, most phishing scams aim to achieve three things:
- They want your personal information so that they commit identity fraud. If they have access to your name and address, they are likely to steal your identity.
- They can trick an individual into thinking they are being sent a legitimate link. The link can often redirect a user to a suspicious website which allows other cyber criminals to gain details through malware. Passwords in particular are of keen interest to hackers.
- Another reason hackers utilise phishing scams is to scare an individual or lead them into a mistake caused by excitement. If you tell someone they are owed a lot of money, you can easily manipulate them into clicking on a suspicious link.
Pretexting is another type of social engineering
Pretexting can cause issues for individuals. Hackers and criminals may use this type of social engineering to entice a person to hand over their details. Tripwire suggested this can be done in a variety of ways. The latest WhatsApp scam is a prime example of pretexting. A cyber criminal will tend to impersonate a family member or a person that the individual trusts.
WhatsApp examples include a scammer messaging a father saying that it was one of their children trying to contact them. They would say they had lost their phone and were using a friend’s phone. From there, they would ask the intended target of the scam to send money to a separate bank account so that they could purchase a new phone. If there is a sense of urgency to the messages, the victim is likely to transfer the money without even thinking about it. That’s how it usually works.
In other cases, the scammer will take on the form of a Manager or Senior Employee and email or text a lower-level employee. They can send them links that they need to click on, and the victim is likely to respond to someone higher up who possesses authority. Managed Security Awareness Training can definitely help your company with regard to this.
Recommendations to deal with Social Engineering Attacks
Defending against social engineering requires you to practice self-awareness. Always slow down and think before doing anything or responding to any kind of communication you receive that requires urgent action. It is worth considering some of the following questions if you suspect an attack:
- Did the message come from a legitimate person? Study email addresses when getting a suspect message. There may be characters that mimic others, such as “mack@example.com,” instead of “max@example.com.” Social media accounts that duplicate your colleague’s image and information are also common. Ask the sender if they were the true sender of the message in question – ask in-person or via a phone call if possible.
- Suspicious links or attachments? If a link or file name appears odd in an email, consider the authenticity of the whole communication. Also, consider the context of the message itself – is the sender wishing you a good morning, when it is the afternoon, for example.