Out of context, it’s a relatively innocuous term: “social engineering.” To the uninitiated, that might as well refer to efforts to design and build a new community center.
You know better, of course. You know that in a “social engineering” attack, a person or group uses human interaction to identify usernames, passwords, and other information necessary to gain access to a secured network, email account, online storage service, etc. You also know that “Phishing” is a popular form of social engineering.
But you might not know that …
- 76% of organizations experienced phishing attacks in 2017
- Companies report that phishing attacks result in malware infection, decreases productivity, and loss of proprietary information
- Mobile ransomware attacks, frequently delivered via SMS, are up 250% since early 2017
It’s an unassailable fact: bad actors continue working hard to undermine your hard work. That’s why it’s best to keep up to date on the most popular social engineering tactics. And that’s why we compiled the following information for you to share with your business associates.
Social Engineering Scams
Just as in fishing-with-an-f, phishing attacks dangle bait in the form of an official email or website in the hopes that you’ll bite and offer up username, password, account, or any other valuable information. For example, an email might come from one of your online shop accounts alleging a problem — part of a ruse to get you to click a bad link and offer up important data.
You’re working late one night and receive the following message from your CEO’s email address: “Urgent! This crucial acquisition is going to fall through unless $500,000 is wired to this account immediately! There’s no time for a call — get it done!”
That’s enough to give one pause, right? The criminals who sent that message — who studied other messages from your boss so they could match the style, who set up an email system to spoof the proper email address — want you to do more than pause. They want you to jump up and do exactly what the message says … so that they may get $500,000 richer.
That’s a whaling attack: Bad guys representing themselves as reputable associates to gain information or money (or both) from unsuspecting employees. If it sounds like phishing, that’s because the two tactics share similar traits.
“Pretext” is defined as “a reason given in justification of a course of action that is not the real reason.” And that sums up the pretexting social engineering tactic. An individual adopts a persona and masks a lie — such as being a trusted IT vendor — to obtain privileged information. Pretexting could also involve a person calling to notify the target of an issue with their account … but that the target must prove who they are (nice twist, right?) and offer up identifiers such as Social Security number, mother’s maiden name, date of birth, etc.
“Free USB drives! Take one!”
Free is always good, right? But those free USB drives — which mysteriously appeared in the break room, or sit on an otherwise-unremarked table at a bustling conference — is loaded with malware that compromises your company’s cybersecurity. Remember: There’s no such thing as a free lunch or a free USB drive.
Tailgating is also referred to as piggybacking. As you can imagine, the technique is predicated on close proximity. You’re running late and rushing into your security badge-protected work area when a well-dressed person — also seemingly in a hurry — joins you as you step beyond the guarded door.
You’ve just been tailgated, unwittingly providing a stranger access into a restricted area.
Don’t worry: it isn’t just you. Tailgating can be done in areas that hold sensitive information but no security in place to protect it. It might be a person dressing as a delivery driver or someone who insists they have the approval to be wherever it is they are. Regardless of the way they do it, the goal is always the same: information that compromises the security of the organization.
Imagine a movie plot where the villain poisons the drinks at the good guys’ favorite bar to get revenge. Now shift that idea to the digital realm, and that’s pretty much what a watering hole attack is: a malware attack where a bad actor 1) identifies a website favored by a target and 2) infects that site with malware in an attempt to ensnare the target. It’s relatively uncommon but powerful enough — and difficult enough to detect — that it merits your awareness.
Social engineering is a threat that isn’t going away anytime soon. Make sure your team understands the tactics used to compromise the enterprise’s cybersecurity measures and you’ll be on your way to reducing risk. To help, check out The One Thing You Must Know About Employees and Social Engineering as well as this PDF download on how to watch out for social engineering traps.
We can help. Based in the U.S., CTC Technologies, Inc. is an IT solutions provider capable of stepping in to support your IT infrastructure needs. We’re available immediately to help your company improve network performance, mitigate cybersecurity threats, and operate efficiently. Contact us today for a free consultation about the security solution that works best for your business.