Social engineering is the use of deception to make a target do something or disclose information in a way that seems harmless but is malicious. Phishing emails are the most well-known social engineering tactic, but they are not the only attack vector in this category. Vishing (malicious phone calls), Impersonation (physical penetration of the building) and Smishing (malicious SMS text messages) are all growing in frequency.
Social engineering is one of the fastest growing cyber-attack vectors because it provides cyber attackers with a much better return on investment. They don’t need to spend months trying to bypass a company’s technical controls and just go through staff (who already have access to data) instead.
Humans are often referred to as the weakest link in a company’s cyber defence. However, they can be your greatest defence if given the proper investment in awareness training, tools and support.
Criminals use social engineering to persuade their target that they can trust them. The attacker will likely come across as charming and friendly. They will know things about your company, your likes and hobbies, to appear similar to you and mirror your world views.
An attacker can’t just guess these things about you. The odds of them getting that right are too low. So, they need information about you. Today, all the information an attacker needs is available online. This is normally derived from social media, company websites, blogs and other online resources. Open Source Intelligence is the name given to this publicly available information.
A classic technique is when attackers employ language in an email or phone call that leaves you feeling emotional or panicked. By making you feel anxious, panicked or angry, the attacker gets you to act impulsively and without thinking logically, when you are far more likely to make a mistake.
One case that I worked on involved a dental practice with an office in Bristol. The practice had just had a loan approved for more than £100,000. The CEO was abroad skiing with his family when his personal assistant received an email that looked as though it has come from him:
I am having a great time on the slopes! I just wanted to make sure that you have remembered to transfer the full amount of the loan into this account today for us to buy that company in Belarus. I really don’t want to miss this opportunity.”
Beth panicked; she hadn’t even put this on her to do list. She was supposed to be heading home soon so she quickly logged into the online banking and transferred the full amount of the loan as requested. On Monday morning the CEO, back from his relaxing break in the Alps told Beth that they needed a meeting to discuss how to use the loan.
Beth turned white and reminded the CEO of the email he had sent her on Friday. I can imagine what his face must have looked like. The loan was gone, and the bank refused to reimburse the money.
This company made some crucial mistakes. Firstly, on the day the loan was approved they had posted it on social media, which made them a target for attackers. The CEO had been tweeting his holiday photos so it was clear that he was not in the office. Beth should have called him and checked that the request was legitimate, but she didn’t. The culture in the company was such that the CEO would often ask her to transfer money at the drop of a hat.
This cost the company a lot of money and lost them a lot of business. It wasn’t a sophisticated attack at all, just the right story, to the right person at the right time, which resulted in a great return on investment for the attackers.
The first thing to remember with a social engineering attack is that they will always want you to do something or disclose something. A phishing email, for example, will usually contain a malicious link or attachment that they need you to click on. Any unsolicited email you receive asking you to click on a link or attachment should make you pause to think about its authenticity.
This is great in theory; however, most phishing attacks are crafted to create an emotional response not a logical one. If they can make you feel emotional – angry, anxious, excited – they can make you react impulsively. They will also create a sense of urgency using deadlines like “offer ends at noon” or “pay the fine by 3pm”. If you ever receive an email or social media message that generates a strong emotional feeling, pause, have a coffee and come back to it. I guarantee that you will see it differently.
If your social media accounts are not set to private you have no idea who may be viewing your posts, why they are viewing them, and what they will do with that information. Once something is posted online you have lost control of it.
Spend some time looking at your social media and your company website to see what information you are putting out to the world. If you feel it is too detailed or revealing then remove it.
There are several key protective measures you can take to make yourself and your business much harder to attack.
Related competencies include: Data management, Risk management
Further information: Details of training and more are available from www.red-goat.com
Centre for the Protection of National Infrastructure (CPNI) has a Think Before You Link campaign on mitigating risks from hostile state actors and COVID-19 specific security issues under Related advice, including cyber section.