Social Engineering – What Is It?

Release Date: 07/10/2020

Per the Maryland’s The Daily Record, Google reported that during the week of April 13 alone, it identified over 18 million daily malware and phishing emails related to COVID-19 scams

In a recent hearing before the Senate Judiciary Committee, an FBI spokesperson said that the agency has seen a dramatic increase in the number of cyberattack reports. “As of May 28, 2020, the Internet Crime Complaint Center (IC3) received nearly the same amount of complaints in 2020 (about 320,000) as they had for the entirety of 2019 (about 400,000),” said Calvin A. Shivers, assistant director of the FBI’s Criminal Investigative Division. Shivers noted that as the federal government has responded to the pandemic with new initiatives like the Paycheck Protection Program, stimulus checks, and enhanced unemployment checks, criminals have launched new fraud efforts aimed at diverting the funds associated with those programs into their own pockets.

Certainly, we are all exposed to Social Engineering events. According to Infosec, social engineering can be broken into two common types: human-based and computer-based.

Human-based social engineering events revolve around: (1) impersonation; (2) posing as an authoritative and legitimate user (like a manager); (3) posing as a third-party or contractor in a supply chain, etc. Computer-based social engineering, on the other hand, attacks victims via computer software and programs.

Types of Social Engineering

1. Phishing Attacks – Attackers may use email, SMS, social media, and other sources for their phishing campaigns. All phishing tactics follow the same pattern: tricking the target into clicking on a malicious link that will take them to a website that may or may not impersonate a legitimate one, asking them for their credentials, then injecting malware or viruses or leading their target to a ransomware attack where they’ll be asked for money to unlock private data.
2. Spear Phishing – This type of cyber-attack is targeted at specific individuals, whereas general phishing attacks are usually sent to masses of emails simultaneously in the hopes that someone takes the bait. With spear phishing, the cybercriminal typically targets select groups of people who have one thing in common. Spear phishing does require more effort from the attacker’s side, as he needs to perform a full investigation on the victim(s), perform extensive research about everything surrounding them and customize the email, which makes it much harder to distinguish from a legitimate email and ups the attacker’s chances of succeeding.
3. Whaling – In whaling, the target holds a higher rank in organizations, therefore, they will attack the COO, CEO, CFO, and other executive positions.
4. Vishing (also called Telephone Scam) – The attackers use phone calls to trick people into giving away their private data. The attacker creates a fake phone number, calls an individual posing as a bank or some other service provider, and asks for their credentials or bank account details. Have you heard about thousands of people recently being called by the Social Security, FEMA, or VA? Those fake calls fall under Vishing.
5. Baiting – What distinguishes Baiting from other types of social engineering is the promise of an item or good that malicious actors use to entice victims. Baiters may leverage the offer of free music or movie downloads, for example, to trick users into handing their login credentials.
6. Quid Pro Quo – It is often regarded as a subcategory of baiting but what differentiates it from regular baiting is that the attacker offers something to the target in exchange for divulging private data, or any other specific action that will get attacker what they want. The most common scenario we see with a quid pro quo attack involves an attacker posing as technical support or a computer expert who offers the target assistance with a real problem, while asking for their login credentials or other private data.
7. Pretexting – This type of phishing may be hard to distinguish from other types of social hacking attacks. The cybercriminal invents a fake scenario to get access to the victim’s personal information or make them perform certain actions (e.g. make a payment, download malware etc.). To achieve their goals, they will impersonate people you trust, like your family members, friends, coworkers (including your IT people), bank representatives, government officials, etc.
8. Tailgating or Piggybacking – It refers to the physical security breach in which an unauthorized person follows an authorized individual to enter a secured premise. A common scenario we see in tailgating is an attacker asking an employee to “hold the door” to a restricted area because they forgot their access or identity card. How many times have you done this? Scary, right?!
9. Scareware – It is often seen in pop-ups that tell the target their machine has been infected with viruses. They can convincingly appear as they are coming from a legitimate antivirus software company. These pop-up ads always have a sense of urgency in telling you to quickly download their software if you want to get rid of the virus that has infected your computer. They will get access into your computer once you click the link!

How to Protect Yourself from A Social Engineering Attack?

Be Skeptical!

• If you receive a suspicious email, always verify that you are talking to the ‘real’ person. Always make sure to question requests for sensitive information.

Education is a KEY!

• Our biggest line of defense should be a combination of: Equipment, Software & Culture (Culture being #1). It’s important to train your staff and familiarize them with all these different tactics and how to react to them.

Keep your systems UPDATED!

• Software updates are important because they often include critical patches to security holes. Staying on top of all newly released security patches can help you mitigate plenty of attacks.

Call them BACK!

• Don’t share or release information until you can verify their identity. Please bear in mind that Cyber and Crime policies (providing Social Engineering Coverage) require you to authenticate the validity of the request prior to acting upon any transfer instruction. Due care!

Keep your information and accesses SAFE!

• Make sure that you don’t share passwords over the phone.
• Make sure that your staff doesn’t have their passwords on a sticky note over their desks.
• Please bear in mind that hackers want to know more about you in order to act more real. Therefore, please keep all of our professional and private accounts safe. Please review your Privacy Settings on Facebook, Instagram, LinkedIn, and all other social media platforms.