What is phishing & social engineering?
Social Engineering is the art of manipulating people in order to gain sensitive or confidential information. For example an attacker may call or email you and ask you to verify certain information, such as data protection questions (Mothers maiden name, address, last 3 digits on the back of your bank card, passwords or a memorable place,), this information can then be used by the attacker to gain more information about you from other sources.
Once an attacker has gained some information about you, it becomes much easier for them to infiltrate your life, such as calling your bank and attempting to verify themselves as you with your mother’s maiden name, password or memorable place.
A Social Engineering attack could come in many forms, this could be an email pretending to be someone you know, or a trusted online retailer, they could even come in the form of a response, pretending to answer an ad or question that you never even asked. This is done to play on the possibility of having an issue in the first place, it could be computer help ‘Click here for the answer to your computer problem’ which will contain a malicious link, or an email from a bank you aren’t with, trying to gain confidential banking information.
The target, once falled prey to an attacker, is often considered ‘Social Engineered’
Malicious individuals will try anything to gain access to your business, network or premises. Your staff, physical security, policies or procedures could also present a vulnerability to the safety of your business.
Today the methods employed in social engineering are well researched, individually tailored, and extremely difficult to detect. You may think that you would always spot such a ruse but that confidence is often unfounded and can be very costly.
Why is it important?
- 95% of successful cyber attacks are the result of a phishing scam.
- Over 400 businesses are targeted by spear-phishing scams every day
- Phishing is the primary vector for ransomware, which is also on the rise.
- 4,000 ransomware attacks occurred every day in 2016.
Whilst most people will have heard about phishing, the other attack methods within Social Engineering, such as vishing, smishing, pretexting, baiting, spear phishing and water holing are not as well-known but are very common. Each of these attack vectors are equally as dangerous to your organisation. They can result in loss of earnings and reputation, data loss and even fines.
Social Engineering tests should be conducted to test you employees to develop a culture of social engineering, including phishing, awareness. It also highlights opportunities for staff awareness training.
Samurai Digital Security has a team of highly trained and professional cyber security experts, who have experience with incident response, and responding to breaches or leaked information, this includes social engineering attacks.
Our team is able to provide information and train your employees on how to spot social engineering techniques, allowing your organisation to remain safe, secure and knowledgeable about the possible incoming threats, training can include social engineering cyber security awareness, social engineering computing awareness and social engineering IT awareness training, all of which falls under the Samurai Digital Security Cyber Security Awareness training.
Samurai can also aid with incident response, where we can help in finding out how information may have been leaked, or how a breach occurred in the first place. Samurai can act as your organisations DPO, then, in the event of a breach, our team can also act as a point of contact for the ICO, offer guidance on how to prevent the breach from happening again and also further training to employees if this is required.
Social Engineering attacks can be conducted using a variety of methods, all with the intention of coercing an individual to divulge sensitive or personal information.
One example of a Social Engineering attack, would be phishing, which is considered the leading form of Social Engineering Attacks, this is where specially crafted messages or emails are sent to targets, which invoke an emotional response, such as requiring an urgent reply from the recipient, or giving a sense of fear from incoming fines or a virus that’s infected their system.
While Phishing is used to invoke a panicked or urgent response, Baiting is the opposite. Baiting is an attack method where the target is enticed by an offer, prize or free download, in order to ‘bait’ the individual into divulging passwords or other personal information. Any hyperlinks in a baiting email will contain malware and undoubtedly infect the targets device. Baiting doesn’t always come in the form of an email, this could also be performed using a flash drive with an alluring note, this could be branded to the target organisation, with a label such as “Q4 Bonus Information”, with the intention of leading an employee to plug the infected flash drive into a company machine, thus infecting the organisational network with malware or spyware.
Pretexting Social Engineering
Another Social Engineering attack is a Pretexting attack. Pretexting Social Engineering is where an attacker creates a false sense of trust between themselves and the target, by impersonating a co-worker, boss, or figure of authority which is well known to the target. This attack is performed with the intention of gaining confidential login details from the target.
Tailgating Social Engineering
Tailgating social engineering is where an attacker would physically follow an authorised target into restricted areas, in order to gain access to confidential information and systems, this is often done under the guise of “Hey sorry, could you hold the door please, I’ve forgotten my access card”, another method is asking an employee to borrow their device to make a call, or quickly look something up online/send an email, during this time the attacker will install malware or other malicious software onto the targets machine.
Whaling Social Engineering
Whaling social engineering is similar to phishing, however, whaling social engineering specifically targets higher up individuals who have more access or permissions, and are able to divulge more sensitive information, this could be system admins, CEO’s or board members. The intention is to target someone who has the most access in an organisation and tricking them into clicking a malicious hyperlink in an email, or forwarding more sensitive information while pretending to be from another department, a third party supplier, or another employee with authority.
Reverse Social Engineering
Reverse Social Engineering is where an attacker is able to convince the target into believing they have a problem, or that a problem is going to come up, for example “You have a virus, please go to this website” this is often done over the phone, claiming the issue can be resolved by the attacker, but it needs to be done asap. In reality the attackers threat of a virus or issue is fictional and when the target follows the attackers instructions, they will infect the targets machine with malware, or spyware, in an effort to steal confidential information from the target.
Reverse social engineering is often done whilst impersonating a person of authority to gain the trust of the target, which leads the target into following the malicious instructions.
Social Engineering Examples
Social Engineering examples include receiving a call from someone claiming to be someone you know, such as a bank, or even a telecommunications supplier, they will ask the target certain information in order to pass Data Protection, while leading the target to believe they are just confirming account details, such as a memorable place, address details or phone numbers, all of which could be used to verify the attacker when trying to access the targets information from the organisation they are impersonating.
Other social engineering examples include emails, where the attacker sends out a vague email stating that the recipient has won something, even if they never entered a competition in the first place, this would bait the target into selecting a malicious hyperlink and leading them to divulge personal information using specially crafted forms. This could also result in the target infecting their own machine with malware while also divulging sensitive information.
One of the most successful, yet simple to accomplish of the social engineering examples, would be where the target is chosen based on their position in a company, the attacker would wear overalls or a hi-vis vest, follow an authorised employee into a secure area and pretend to be conducting maintenance work without having any credentials or paper work, then the attacker would wait for the authorised employee to leave while they steal information, hardware or resources without anyone’s knowledge.
Social Engineering Techniques
It is important to stay vigilant with the threat of Social Engineering attacks rising, and social engineering techniques employed by attackers improving, this includes, but is not limited to:
Impersonation, where an attacker attempts to impersonate a friend, family member, business, or authority figure, in an attempt to gain more information from the target.
Being friendly is also a common tactic, which is used in conjunction with other methods such as kindly worded emails or impersonation. The idea is that a smile and friendly attitude can be used to lead the target into a false sense of security, where they forget to ask for verification and simply trust the attackers word in the moment.
Forgotten information/ pass codes/Key cards. This is often used in Tailgating Social Engineering, where an authorised employee is followed into secure areas, believing the attacker has simply forgotten their ID card or pass code, it is important to question unknown individuals when being followed into secure or access controlled areas.
New employee story. This is where an attacker turns up to a place of business and is often used in Tailgating Social Engineering attacks, where the attacker will offer an excuse of “I have been employed here recently and haven’t received my ID badge yet”, in order to gain access to confidential information.
Wearing overalls or hi-vis. Attackers will sometimes ‘Act like they belong’ by wearing construction gear or uniforms, giving a false sense of security and leading others to believe they belong in certain areas, when in reality they are stealing confidential information, hardware or installing malware on devices without the knowledge of others.
Emails are used in phishing attacks, this is the most common form of Social Engineering attacks, any untrusted emails should be ignored or reported to the relevant vendor.
Phone calls are another common form of Social Engineering attacks, where the attacker will call an individual in an attempt to gain confidential information from the target, often under the assumption they are someone of authority, or a representative from an organisation you hold an account with.
Famous Social Engineering Attacks
Many organisations believe that Social Engineering attacks wouldn’t affect them, however this is an issue for organisations big and small, for example, in 2014 Sony Pictures was targeted by a group of North Korean hackers, with a phishing attack. This was in response to Sony Pictures releasing ‘The Interview’ movie, which in turn resulted in the movie being released by Sony for free. By the end of this war between Sony and North Korea, Sony suffered financial loss and ended up with Several movies and employee data being leaked online.
Another famous social engineering attack was in 2013, where the Email provider, Yahoo, had every account compromised, which was over 3 Billion accounts. This was due to an engineer with privileged account status, falling for a spear phishing email, at the time this was considered the biggest successful breach, in terms of individual records of information being compromised. Originally, Yahoo reported 500 Million accounts being compromised and it wasn’t until October 2017, when the 3 Billion number was released.
Social Engineering Attacks 2018
‘Social engineering attacks 2018’, is a common search term, most likely to see what attacks were the most effective or had the most damage over the last year.
We found the most prominent social engineering attacks were tailgating, eavesdropping (Listening into a conversation), phishing and vishing (Phishing attempts over the phone). This list, along with disgruntled employees, sheds a light into how cyber-attacks are being performed and how they are being done successfully, for example, an attacker impersonating an unassuming person holding a tray of drinks and can’t quite reach their ID card, which will give access to a restricted access area, as a passerby you would feel compelled to give a hand or open the securely locked door for them, however this could very well be a cleverly disguised ploy at tailgating into a secure environment.
These attacks could easily be avoided by attending some form of training for cyber security awareness, where the basics of cyber security, phishing, social engineering and safety when using IT equipment is delivered by experts in the field, ready to answer any questions and point employees into the right direction for even more resources.
The most successful social engineering attacks of the last few years have been attempts which illicit an emotional response, such as anger, fear or appealing to your empathy, this can be done by making the target believe the attacker is a family member, colleague or even a position of authority.
Another successful method of social engineering, is shouldering social engineering, where the attacker will subtly look over the targets shoulder to find out what information is on their computer or on their desk. Shouldering social engineering is particularly successful due to how much information employees tend to write down without thinking of the consequences or importance, such as passwords on post-it-notes, login credentials left in the open, or company information being left in open documents for any passerby to see. Shouldering social engineering is not only prominent in the workplace, this is also being done in coffee shops, cyber cafes and local parks where people do work outside the workplace.