Edward ran up behind the company employee as he entered the building.
“Can you hold the door, please?”
“It’s my first day here.”
“Well have a great day and welcome!”
Edward turned down the hallway and found an empty trash bin and took it with him. He turned left down the hall to executive row, just like the building schematic had shown. He walked into Craig’s office and emptied Craig’s bin into his. Then he saw it, the sticky note on the monitor with Craig’s password. Craig was on vacation. His email thread said he was in Cancun.
Edward had done his monitoring of Craig’s email, but lied to and manipulated an unsuspecting employee to give him access to a secure building. Physical trespassing like the above incident of “tailgating” is comparatively uncommon compared to other types of what is called “social engineering.” Social engineering is the criminal practice of manipulating someone to reveal personal or business information or to perform a certain task that will be harmful to an individual or organization. Hackers are usually after personally identifiable information (PII)–name, social security number, driver’s license number, email, address, phone number, place of work, position, etc.–that should normally be kept as private as possible.
Users may have PII that they willingly share with a company in exchange for use of the company’s software, products or services. Users naturally trade off some privacy for convenience. But that doesn’t mean they want to share it with cybercriminals.
“Phishing” emails are so named because the hackers or scammers who send the emails are luring users into their trap. Most people cannot distinguish a real bank or credit card email from a sophisticated phishing email. The scammers may ask the user to log in to their bank account or respond to an alert by clicking a link in the email. Similarly, scammers posing as “tech support” may email a user to ask them to reset their password. The scammers may even use the user’s real name or use a name of someone in the organization’s IT department as the sender, both of which he/she gathered from company phone lists, websites or other free information on company networks. Users should double-check such an email for unusual sender email addresses, dates or grammar problems (although phishing emails are improving in this area) before opening an email. Users should never open email attachments or reply to any suspicious emails.
But clicking on a link is where the problems start. That action can install malware on the user’s computer, including ransomware, worms, trojans, adware and spyware.
“Vishing,” or voice phishing, involves manipulating a contact over the phone. For instance, “tech support” calls the user (generally by name), asking for details about another employee or for them to perform some task on their computer. A good way to handle vishing calls is to ask specific questions. One solution to the call from tech support is to tell them you will call them back or to ask them to come to the user’s desk.
“Spearphishing” is a type of phishing generally targeted at managers of the company (“whaling” is even more targeted at big fish in the C-Suite).
And lest you think mobile devices are immune to phishing attacks, “smishing,” or SMS phishing (phone text messages), tricks users into clicking on malicious links or disclosing sensitive information. For instance, a fake bank texts the victim and asks them to call to speak with a representative or sends a text message with a phone number to call. The recorded voice says to enter their social security number or account number to be connected with a representative. These messages may also come from suspicious numbers like “8000,” which are used by scammers to hide their actual phone numbers.
Most business email compromise (BEC) attacks–currently the most common type of cyber attack–on business networks are initiated by successful spearphishing and/or vishing.
For protection, users should beware of phone tactics like those below for manipulating users into dropping their guard. A hacker may appeal to:
Knowledge of personal details – Using the name of the target, which has been gathered through other research (“reconnaissance”).
Sensibleness – The request for information makes sense.
Authority – “Give me the information because of who I am.”
Urgency – “I need this information right now” or “your account needs your attention.” Scammers will try to get users to act rashly.
Scarcity – “This deal will only last for limited time.”
Social proof – “I’m well-known” (people look up to them, they have swagger).
Likeness/Impersonation – The hacker looks or acts like a certain person (and “do me favors”).
Fear – “If you don’t give it to me, be afraid of losing your job.”
Interrogation – The hacker questions the target when under question himself.
Humor – Being funny gets the target to drop their guard.
Remember, banks, credit unions, credit cards and merchants will never contact users through text message or email to make important changes or share information like their account PIN.
Awareness for employees is crucial when it comes to stopping social engineering aimed at users and businesses. Users should be aware of tactics and methods used by scammers and threat actors.
Tech Kahunas knows the needs of SMBs and organizations.
We’ll stay on top of the threats.
We’ll watch your data.
We’ll review your risks.
We’ve got years of this.