Edward ran up behind the company employee as he entered the building.
“Can you hold the door, please?”
“It’s my first day here.”
“Well have a great day and welcome!”
Edward turned down the hallway and found an empty trash bin and took it with him. He turned left down the hall to executive row, just like the building schematic had shown.
He walked into Craig’s office and emptied Craig’s bin into his. Then he saw it, the sticky note on the monitor with Craig’s password. Craig was on vacation.
His email thread said he was in Cancun.
Edward had done his monitoring of Craig’s email, but lied to and manipulated an unsuspecting employee to give him access to a secure building.
Physical trespassing like the above incident of “tailgating” is comparatively uncommon compared to other types of what is called “social engineering.”
Social engineering is the criminal practice of manipulating someone to reveal personal or business information or to perform a certain task that will be harmful to an individual or organization.
Hackers are usually after personally identifiable information (PII)–name, social security number, driver’s license number, email, address, phone number, place of work, position, etc.–that should normally be kept as private as possible.
Users may have PII that they willingly share with a company in exchange for use of the company’s software, products or services. Users naturally trade off some privacy for convenience.
But that doesn’t mean they want to share it with cyber criminals.
Methods of Attack
“Phishing” emails are so named because the hackers or scammers who send the emails are luring users into their trap. See our piece on phishing for an in-depth look at the various types of phishing attacks.
Most business email compromise (BEC) attacks–currently the most common type of cyber attack–on business networks are initiated by successful spearphishing and/or vishing.
Beware Mind Tricks of Savvy Crooks
In all these types of social engineering, remember the following tactics used by hackers and scammers to manipulate users into dropping their guard. They may appeal to:
Knowledge of personal details – Using the name of the target, which has been gathered through other research (“reconnaissance”).
Sensibleness – The request for information makes sense.
Authority – “Give me the information because of who I am.”
Urgency – “I need this information right now” or “your account needs your attention.” Scammers will try to get users to act rashly.
Scarcity – “This deal will only last for limited time.”
Social proof – “I’m well-known” (people look up to them, they have swagger).
Likeness/Impersonation – The hacker looks or acts like a certain person (and “do me favors”).
Fear – “If you don’t give it to me, be afraid of losing your job.”
Interrogation – The hacker questions the target when under question himself.
Humor – Being funny gets the target to drop their guard.
Conclusion: Know This Last Fact
Remember, beware the tactics above. And remember that banks, credit unions, credit cards and merchants will never contact users through text message or email to make important changes or share information like their account PIN.
Awareness for employees is crucial when it comes to stopping social engineering aimed at users and businesses. Users should be aware of tactics and methods used by scammers and threat actors.
Tech Kahunas is a San Diego Managed IT Services provider which provides IT support and services like 24/7 monitoring, data backup and restore, and malware protection.
Tech Kahunas will help you Defend Your Island. Set up a free 30-minute Strategy Session with us now.