Wolf in Sheep’s Clothing – How to avoid falling victim to online scams

News

‘Social engineering’ is the term used to describe the method by which internet scammers prey on our natural human instincts to poach private or sensitive information from us. In this article I’ll be explaining exactly what this is, the different types, and how to protect yourself and your business from attacks.

What is Social Engineering?

‘Social engineering’ certainly not something new, over the decades fraudsters and con artists have long relied on our natural curiosity, trust and readiness to help. These “wolves in sheep’s clothing” exploit our trustful natures. They seek to gain access to our valuable data such as passwords, usernames, bank details or any other kind of personal data about us or others.

Once these people have managed to gain access to a system, they can then deploy malicious software such as malware that then aids them in the location of and stealing of sensitive information.

Social engineers typically:

  • Make it appear that they are giving you something (e.g. your owed money, or won a prize)
  • They provide a plausible reason for their request
  • They show confidence and act, use language or posture that suggests they should be there. They belong in the environment they are not authorised to enter.

Social engineering is much easier then trying to hack a computer directly, as our natural inclination to trust is much easier to exploit. Its easier to get someone to give up their password then to try and hack their password.

So, lets look at the types of social engineering attacks that are being used.

Tailgating

Tailgating Is a very physical type of social engineering, and involves someone who lacks the proper authentication or clearance following an employee into a restricted area. Once in this person may then have access to restricted hardware, files etc that they can record and use.

Spear Phishing

Spear Phishing is using these same tools but in a more targeted approach usually at one individual. This could be initially instigated with a face to face or social media encounter where the attacker builds up a level of trust, and then follows up with email correspondence.
Due to the fact that there is a relationship of trust already built, spear phishing attacks are much more successful then standard phishing techniques. Up to 50% of these kinds of emails result in the link or attachment being clicked on compared to just 5% in ordinary phishing emails.

Pretexting

This is when the attacker has created a convincing pretext for contacting you. These are usually done with a sense of urgency to try and get you to reveal confidential information you normally wouldn’t. This could be pretending to be your company’s IT department needing your login details to resolve an IT issue on your machine.

Baiting

Exactly as it sounds, baiting is the bait used during the social engineering scam to entice the victim to open the mail or click the link.
Examples that are used could include:

  • “You’re a winner” – But usually you never entered this competition.
  • “You need to act urgently” – Either to claim a benefit or avoid a disaster
  • The message is a pretend response using “Re:” in the subject line – usually to a question or request you never made.
  • “Important information enclosed” – Like new travel rules, or changes to restrictions.
  • “There is a problem with your account” – and now you must verify some security information to resolve this.
  • Hints of a scandal – This could be in work or among friends or other social networks your involved in.

What the attackers know is that if a message comes from someone or a source you know, you’re more likely to trust that message and act on it.

What are the risks?

Social engineering attacks may do one or more of the following:

  • Allow access to parts of your building or physical environment that are host to sensitive documentation or equipment.
  • Download malicious code onto a company network via desktop/laptop computers, mobile devices or USB media.
  • Use one compromised network or device as a stepping stone to attack another network or organisation.
  • Obtain access via stolen login details to confidential corporate information.

Precautions you can take

So what precautions can we apply to reduce our exposure to these types of attacks:

  • Verify the identity of callers or then senders of any message that asks you to do something.
  • Report any suspicious emails or telephone calls to your IT Security Team.
  • Report the presence of any unknown individuals on your premises, especially those in restricted areas to your security team.
  • Scrutinise communications such as emails and social media messages that contain attachments or links, particularly if you don’t know the sender.
  • Stop and think about what you are being asked to do in an email, phone call or message. Especially when then requester is displaying a sense of urgency or pressure in asking for sensitive information.
  • Never give out any sensitive information to anyone requested in a phone call or email.
  • Always obtain email addresses and phone numbers from a company’s website. Never use the links, addresses or numbers contained in a suspicious communication.

That completes this session around social engineering! I hope you found this blog useful. Again, remembering just the basics can massively increase your cyber resilience, and stop you from being an easy target.

Next month we will take a look at Payment Diversion Fraud, but if you want to talk more about this month’s subject feel free to contact the CEME IT Team.

As usual here are a few links that you might find interesting.

Italian vaccination registration system down in apparent ransomware attack
Feds list the top 30 most exploited vulnerabilities. Many are years old
Microsoft warns: These attackers can go from first contact to launching ransomware in just 48 hours
Social Engineering Risks: How to Patch the Humans in Your Organization

Stay Vigilant and stay safe.

Chris George,

Head of IT, CEME