Tag Archives: Social Engineering

Social Engineering – Don’t fall for these email phishing attacks

Spear phishing is the term given to fraudulent malicious emails that attempt to infect your computing device and gain unauthorized access. The messages will appear to come from a trusted source such as a well known company often in the financial services or payment processing industries. In targeted attacks it is also common for the email to appear to generate from the recipient’s own company. Scammers that have done their research will know the names of high level directors which are commonly available online in annual reports. Their goal is to defraud you out of your money or intellectual property that keeps your business ahead of the competition.

Here are two timely examples that I happened to see in my spam inbox today:

Spear Phishing Example 1: Fake email posing as HSBC Bank

HSBC Account Holder,

HSBC is constantly working to increase security for all Online Banking users.
To ensure the integrity of our online payment system, we periodically review accounts. Your
account might be restricted due to numerous login attempts into your online account.
Restricted accounts continue to receive payments, but they are limited in their ability
to send or withdraw funds. To lift up this restriction, you need to confirm your online
banking details.

Notice that the scam is appealing to the need to stay secure and keep an account open. This was a broad attempt because I am not even an HSBC account holder but people fall for these type of scams every day and it only takes one lapse in judgement to have your device infected.

Spear Phishing Example 2: Fake email posing as United Parcel Service Notifications

Dear customer.

The parcel was sent your home address.
And it will arrive within 3 business day.

More information and the tracking number are attached in document below.

Thank you.
© 1994-2011 United Parcel Service of America, Inc.

I received about 6 copies with different tracking #s for this example so it is one of the more prevalent attacks circulating right now. There was a .pdf document attached that likely would have infected my machine if I would have let my guard down and opened this attachment.

Avoiding spear phishing scams takes cyber street smarts and for email users to constantly question if the document is legitimate and expected. Those with a trusting nature are at a disadvantage at an increased risk of becoming a spear phishing victim. Now that you have some information on two current spear phishing threats you should learn more about social engineering and how you can protect your personal and business interests  from this serious information security threat.

Information Security Awareness – Social Engineering

Social engineering is the term for the act of tricking someone into performing actions they would not otherwise perform often times it involves the divulging of sensitive information. Social engineering plays on people’s desires to be helpful or to comply with requests that seem to be coming from an authoritative source. Social engineering can often be used to defeat expensive and elaborate information security programs so it is important to educate your employees about the risks of social engineering to help keep your business secure.

Social engineering can take many forms including:

Physical Social Engineering – Involves a direct personal interaction where the perpetrator engages the target directly. Physical social engineering still occurs but is riskier to the individual attempting it because there is an increased chance of being identified and caught for the incident. Examples of physical social engineering include:

  • Attempting to gain unauthorized access to a building by getting someone to hold a door, tagging along behind them, or the flashing of a fake badge credential
  • Impersonating authorized personnel like cleaning staff, electricians or other service professionals to gain access to areas that are off limits.
  • A wide variety of other actions including asking someone to disclose a password, access a file on a USB drive, access a system or perform other actions that are intended to aid the attackers cause.

Telephone Based Social Engineering – Telephone based social engineering is a widely used method that helps the perpetrator gain needed information while minimizing the risk of being identified in comparison to physical social engineering. Examples of telephone based social engineering include:

  • Impersonating the help desk via telephone and dialing users in an attempt to acquire sensitive information (such as user names and passwords or system configuration information)
  • Impersonating business executives via the telephone and calling the help desk in an attempt to acquire sensitive information (such as user names and passwords or system configuration information)

Computer Based Social Engineering – Has become the dominant form of social engineering taking place today. Computer related correspondence is much harder to trace compared to personal or telephone based contacts and that anonymity makes it an attractive attack venue for social engineers. Examples include:

  • Email based phishing attempts that trick a user into clicking on a malicious link or disclosing a password
  • Internet sites set up to take advantage of mistyped names of prominent web sites
  • Social media based interactions attempting to gain access to personal information

Top 10 social engineering tips to help educate your employees and protect your business

10. Anyone can be targeted for a social engineering attempt and those that are most confident in their abilities to spot an attempt often end up a victim. Hubris is deadly so always have humility and use your best judgement to avoid falling for a scam.

9. The most common risk for physical social engineering is piggybacking into a facility. A social engineer attempting to piggyback will wait until someone with valid building access opens the door and then seeks to tag along the person. Teach your employees to always ask for a valid idea before letting someone in behind them and audit for compliance.

8. Just because an email appears to be coming from a trusted friend or co-worker you know does not mean you actually know the sender. If the request is out of the ordinary and seems suspicious follow-up with a phone call to make sure it is legitimate. A high profile information security company recently failed to do this and suffered disastrous consequences as a result.

7. Determined social engineers do their homework. They perform a lot of due diligence on the Internet and will be equipped with knowledge to aid in their goal of tricking you. They will know executive names, titles etc.. but that doesn’t make their request any more legitimate only harder to detect.

6. Be very suspicious of emails requesting password information or validations that are required immediately. These are typical tactics of spearfishing social engineer attempts and you must teach your employees to avoid these scams.

5. Practice the “Need to Know” principle. Just because an individual asks for certain information does not mean they require it so all requests should be evaluated based on the need to know principle. Teach your employees to ask “Does this individual making the request really have a legitimate need to know this information?”

4. Avoid using USB and other media devices that have unknown sources. This is a common method for social engineers to gain a foothold into an organization through a malicious executable file and it is avoidable by educating your employees about the threat.

3. Regularly remind employees about the dangers of social engineering to your business and provide real life examples.

2. Set up a process so your employees can report social engineering attempts that occur. It is important to measure the threats your business faces and determine if any patterns can be detected to help minimize your long term risk.

1. Trust your instincts but also reference established policies. Many social engineering victims will often mention something seemed out of place  but they went along with the request anyway out of the desire to be helpful. Train your employees in the proper procedures you want them to follow and perform audits to validate that the procedures are being followed.

Social engineering is the most difficult threat to protect your company from because it requires that all of your employees become active participants to stay secure. Follow these tips and make social engineering awareness part of your regular information security awareness program.