Aug 28, 2014
Social engineering is the art of manipulating people into doing something. That something could be releasing passwords, bank account information, access to a server room, the mobile number of the CEO, or whole range of other actions that could stand to benefit a social engineer.
In today's post we explain some of the most common social engineering tactics, and why organisations should be concerned about them.
Common Social Engineering Tactics
Emails & Messages From "Friends"
One social engineering attempt most of us are frequently exposed to is the standard email or message from a "friend". When a social engineer gains access to someone's email or social networking account, either directly, or by using malware, they can then often send messages out to large numbers of friends and colleagues, posing as the friend in question.Things to watch out for:
Any email or message which contains a link. If you receive a message like this, ask the sender what it is and whether it can be trusted. Don't just click. Make sure if you are going to click that you have appropriate anti-virus/malware protection installed on your machine.
Any email or message which contains a download. Again, treat these messages with as much suspicion as you would an email with a suspicious link. Ask a question that only the sender would reasonably know -- something that isn't easily discoverable on their social media profile, or within their email account if you are sent a download which appears as if it could be malicious. Again, make sure you're using appropriate anti-virus/malware protection.
- Any email or message asking for urgent assistance. If you receive a message from a friend or colleague saying they're locked out the building and urgently need a passcode, or that they're stranded away on holiday and urgently need money, be suspicious. Where possible, try to verify the person's identity via a separate medium -- e.g. talking to them on the phone, and asking them several questions on the spot that only the person in question could answer.
Never release confidential information or send money to someone before you have reasonably ascertained their identity.
Increasingly criminals are using these types of attacks to gain access to organisations -- by posing as friends or colleagues on social networks, sending emails from company accounts and more. If an attack is successful, it's often easy for them to gain access to lots of confidential information.
Phishing attempts are when a social engineer sends an email or other message that appears to come from a legitimate organisation. For example, they may pretend to be from your bank, or from the company you work at.Things to watch out for:
- A message explaining that there's a problem. Most phishing emails state that there's some kind of problem, and ask you to verify your details by clicking on a link and providing specific information in some kind of webform. The webform may ask for passwords, personal information, or access details to something specific.
The emails usually look legitimate, and contain a warning about what will happen if you don't act. The warning aims to encourage action ASAP, without thought.When you receive an email like this, check the sender, and attempt to verify the message. It's worth calling the organisation in question to ask them if the message is legitimate (make sure to secure contact information from the company's website, rather than via the message itself).
A message explaining you've won something. It could be an email stating you've been given a bonus, won a prize, raffle, or similar. In order to claim your prize, the email will typically ask for your personal and bank account details.
- A message asking for help. The help could come in any form, but will usually ask you either to send some kind of payment, or submit confidential information.
Phishing attempts can be used to gain access to an organisation's employees' accounts, like company email and more. This can result in lots of leaked information, so it's important that company employees understand how to identify and avoid phishing attempts.
In Person Attacks
Finally, in person attacks are becoming increasingly common. These are attacks that can take place either over the phone, inside a company's buildings, or even at someone's house. In person attacks typically rely on a person presenting themselves as someone with authority (for example a senior manager, or fire inspector) and using that authority to have an individual release confidential information, or access to secure areas/systems.Things to watch out for:
- A phone call from someone asking for your personal details. You should always ask the person on the other end of the phone to give a full and correct spelling of their name, a number to call them back on and why they need the information.
Offer to call back to provide them with the information, and never give anyone confidential information unless you are completely certain they are who they say they are.
- Someone requesting access to part of a building, from a position of authority. It could be a fire inspector, or someone posing as senior management. If someone asks for access to an area, no matter how thoroughly prepared they appear to be, it's important that their identity is verified.
This means checking badges, and in the case of people claiming to be from other organisations, or government, checking directly with the organisation to ensure they are who they are they are, and that access should be granted.When someone is given access to an area, it's important that they're then attended at all times. Watch out for any suspicious behaviour, for example attaching things to cables, or going near the organisation's systems.
In-person attacks can result in unprecedented levels of access to an organisation's systems. It's not uncommon for attackers to install keyloggers on computer systems, attach monitoring devices to cables which intercept communications or to outright attempt to steal confidential information during their visit.
Minimising The Risk
The easiest way to minimise the risk of social engineering attempts is to ensure that your staff are security aware -- using a training course like our PCI awareness training. It's then important to ensure that your organisation has appropriate processes in place to minimise the risk of social engineering attacks.This means making sure that reception have a process for dealing with people claiming they're e.g. a fire inspector, or senior manager they don't recognise, and having clear policies in place for secure systems usage both at home, and in the office.What do you think of the risk of social engineering to organisations? Share your thoughts in the comments below.