Social engineering attacks, which depend completely on human interaction and deceitful behavior to trick people, is one of the fastest growing security threats facing any business today.
While traditional attacks leverage technology-based system vulnerabilities, such as software vulnerabilities and misconfigurations, social engineering attacks take advantage of human vulnerabilities by using deception to trick targeted victims into performing harmful actions.
Examples of social engineering attacks, which are typically perpetrated through email, include threats such as phishing, spear phishing, and Business Email Compromise or “BEC.” Other examples of social engineering include pretexting, quid pro quo and tailgating. In May of 2016, the FBI reported that BEC attacks resulted in $3.1 Billion in losses.
Phishing and spear phishing
Phishing and spear phishing attacks are fraudulent practices perpetrated through email. Phishing attackers cast a wide net of emails in the hope of trapping multiple random victims. Spear phishing is a targeted attack against a specific individual or group.
In both attacks, the email comes in the form of a familiar entity, typically financial institutions, legitimate companies, friend, co-worker, etc. These attacks typically use fear and urgency to coax the victim into acting quickly.
The emails ask that you perform some action, such as clicking on a link directing you to a website that has been forged or submitting information that can be used to compromise you personally or the business.
The best way to avoid these scams is to be smart. If a "friend" emails you and asks for your password or other personal or sensitive information, call or email (new email) that person to verify that they were the one who actually contacted you. The same should be done for banks and other businesses. Legitimate businesses never ask for passwords or account numbers by email. If you think the email might be genuine, call the bank or business and simply ask. Most financial institutions have an email address where you can forward suspicious emails for verification and investigation.
Pretexting is another form of social engineering where attackers concentrate on creating a believable “pretext” or a fictitious situation that can be used to steal their victims’ personal information. These attacks commonly involve the attacker pretending that they legitimately need certain pieces of information from their targeted victim in order to confirm their identity.
Progressive attacks will also attempt to influence the victim into performing an action that enables the attacker to exploit any other vulnerabilities or weaknesses in an organization or company. An example of this would be an attacker who imitates an external IT services auditor and manipulates a company’s personnel into letting them into the building where they can access data directly.
Unlike phishing scams, which use fear and urgency to accomplish the task, pretexting attacks rely on building a false sense of trust with the victim. This requires the attacker to build a trustworthy sounding story that leaves little reason to doubt their legitimacy on the part of their victim. Pretexting attacks are commonly used to gain both sensitive and nonsensitive information.
The most effective way to deal with pretexting attacks is employee education and policy creation. Create policies on how to handle various situations, to include what to do if a pretexting attack is suspected. Have a go-to person to validate requests for both information and physical access and regularly educate your employees on these threats and policies.
Quid pro quo
Quid pro quo attacks promise some form of benefit in exchange for information or access. This benefit characteristically takes the form of baiting where the attacker provides the victim with something of perceived value.
One of the most common types of quid pro quo attacks involve scammers who impersonate IT service people and who call as many direct numbers in a company that they can find. The attackers offer IT assistance to all their potential victims. The attackers promise things such as software updates or vulnerability scans, asking the employee to disable their antivirus or firewall program to perform the service, but instead install malware on their systems.
Other attackers can use much less sophisticated quid pro quo offers. Some real world examples that have taken place, involve offering office workers a cheap pen or a bar of chocolate in exchange for their passwords or other sensitive information.
The best way to combat these types of attacks is simply awareness and a strong policy that prohibits any exchange of information without verifying the legitimacy and source of the request.
Tailgating is much less of a threat for small businesses that it is for larger companies. However, it is important to be aware of this threat as a company grows.
This form of attack involves someone who lacks the proper authentication following an employee into a restricted or sensitive area.
It is a common form of tailgating attack, where a person impersonates a delivery driver and waits outside a company building. When an employee gains access and opens their door, the attacker asks that the employee to hold the door feigning a delivery, thereby gaining access by piggybacking off of someone who is authorized to enter the building.
Another effective method is striking up a conversation with an employee at the front desk and develop a familiarity that could allow them to slip past the desk.
The greatest way to stop these threats is to have a policy in place to disallow this practice. If there are locked doors and restricted areas, each individual should be responsible for their own access to these zones.
Business email compromise
This is another attack that commonly attacks larger companies, but could be used to compromise small businesses.
This technique typically involves gaining access to an executive’s email inbox, through other forms of social engineering or emailing employees from a look-alike domain name that is one or two letters off from the target company’s true domain name. For example, if the target company’s domain was “example.com” the thieves might register “examp1e.com” (substituting the letter “L” for the numeral 1) or “example.co,” and send messages from that domain.
Unlike traditional phishing scams, spoofed emails used in BEC schemes are unlikely to set off spam traps, because these are targeted phishing scams that are not mass emailed. Also, the crooks behind them take the time to understand the target organization’s affiliations, activities, interests, travel, and purchasing plans.
The criminals then search through all the emails looking for keywords such as “deposits” “invoice” “payments”, etc… They can then use that information to perpetrate their nefarious activities.
The most effective way to stop these attacks is to understand and avoid other social engineering attacks, such as phishing and spear phishing. Another way to thwart these attacks is to avoid placing financial data in emails.
Social engineering is becoming one of the biggest threats facing many types and sizes of business. The very nature of human relationship manipulation makes it very difficult for companies to prevent. Companies can harden their networks, patch software and install anti-malware applications, but only through education and awareness of their employees can companies even hope to stop the efforts made by the evil elements whose sole intention is to profit from your hard work.