Hackers use different social engineering techniques to trick users into sending money or disclosing sensitive data. Learn how to spot social engineering threats
Social engineering is the art of deceiving a user into disclosing sensitive information. This kind of fraud is not new in the world of cybersecurity. However, the attack methods and lures used to get sensitive data have constantly been advancing. The attackers have become smarter too. Thirty years ago, social engineering was as advanced as calling users to trick them into providing the landline number that connected the hacker to an internal corporate server. Nowadays, attackers use phishing, smishing, piggybacking, and other social engineering techniques to trick targeted users into sending millions to criminal crypto wallets or providing access to sensitive data. For organizations, this costs millions in damages; employees, in turn, become penalized and even lose their jobs.
We continue our #SeeYurselfinCyber campaign as part of all-nation Cybersecurity Awareness Month to promote cyber-hygiene and help you protect against cyber threats. Todays’s article is dedicated to social engineering – a tactic that accompanies most modern cyberattacks.
Every day, people cope with the volume of decisions they make. They filter these decisions through a set of knowledge, skills, and biases. Hackers know this and invent new methods and techniques to adjust to these filters. Social engineering means threat actors are disguised as your colleagues, managers, third-party partners, or customers. This masquerade has one principal aim – to trick you into providing sensitive information or taking unauthorized actions.
The attackers don’t want the targeted user contemplating the request, so they use the tactic of intimidation, playing on emotions and a sense of urgency. For instance, during the COVID-19 pandemic, hackers distributed COVID-19 lures among the concerned audience. Hackers know the victims may have no time or expertise to scrutinize the message before clicking links or downloading attachments. Your “insurance operators” may threaten the loss of an account to trick you into providing sensitive data, thereby invoking a sense of danger.
As the demands for working productivity increase, so do the employee requirements and responsibilities. Cybercriminals recognize these advancements, choosing targets with demanding jobs, those living under the pressure of external circumstances, or working in technology departments. High-pressure industries are the most vulnerable. Despite the common myth that involvement in technology immunizes employees from being hacked, attacks on technology companies are very common. In fact, technology and financial services are the industries that face human error the most, as Proofpoint reports. Employees in the technology industry are the most likely to click on links in phishing emails; 47% admitted to clicking on phishing emails. 45% of employees in banking and finance also admitted to clicking phishing emails.
Attackers also use many techniques to legitimize the request and to push users into reacting (e.g., sending money to a bank account or providing access to a bank account). Keep reading to learn more about these and many other social engineering techniques.
The widely spread social engineering attack technique is phishing. Phishing attacks often rely on spoofed or impersonated email addresses. Ackers trick users into thinking a message come from a person or entity they either know or trust. Criminals register a domain similar to an official one and hope the targeted user does not notice the misspelling. They also use email “bombing” tools to send emails from the actual victim’s domain. Let’s say the email address of your hypothetical colleague is firstname.lastname@example.org. So, hackers can easily spoof this address into something like email@example.com and send a “working email” to you. However, the second email address has nothing in common with your colleague and aims at tricking you. More on phishing read in the article #BeCyberSmart: Common Tips to Fight Against Phishing.
Well-trained and educated personnel and advanced anti-spam engines can detect spoofed and impersonated email addresses. However, malicious messages sent via legitimate providers are much harder to catch. For instance, Proofpoint analysts noticed abuse of legitimate services to deliver malicious content. Specifically, victims have received emails with the subject “You’ve got a money request” from PayPal. In fact, the phishing email was generated by registering with PayPal and then using the “request money” portal. The phishing was constructed as sophisticated as even the organization’s anti-spam engine recognized the emails to be legitimate. The attack worked towards installing malware which took from the recipients $100 every time they clicked on the link.
Attackers use text messages and voice-changing software to send SMS or robocalls. In these messages, hackers usually promise gifts or services in exchange for payment. Often-used tactic for smartphone penetration is called SMS-phishing, or simply “smishing.” A similar tactic when robocalls are used is called vishing (voice phishing).
It is hard to find a person who didn’t get a“you won a prize and click here to get it” message. The first thing that should come to mind when seeing such a message is – did I really win the money, although I never played? 99% of such messages are smishing attacks. However, there are still those who let themselves be lured. Hackers rely on psychological triggers when sending messages, as people tend to be much more responsive to mobile messages than to e-mails.
Nothing is made as quickly as the urgent request of your manager. And attackers know this. Pretending to be the CEO or another executive, they instill a sense of urgency for the employee to perform certain actions, so the victim doesn’t even bother to ask questions. An interesting CEO fraud occurred in the UK in March 2019 when the CEO of a UK energy provider received a phone call from someone who sounded exactly like his boss. The call was so convincing that the CEO transferred almost $250 thousand to a “Hungarian supplier.” As it is easy to guess, the bank account belonged to the scammer.
Threat actors use popular figures such as pop stars, actors, and even popular shows and series in their lures. This kind of attack technique is called piggybacking. Recently, criminals profited from using the Netflix series Squid Game. In October 2021, after the series teared up the global audience, criminals sent Squid Game-themed emails to victims in the U.S. Hackers promised early access to the next season and even the opportunity to be cast in future episodes. Once victims were persuaded to download the attached file, a Dridex banking Trojan was installed immediately, and their computers became compromised. Campaigns like this appear in the landscape as quickly as cultural moments or newsbreaks inspire them. So, businesses must keep track of them and apply automated email defense capable of spotting dynamic threats as they emerge and recede.
Baiting attacks use a false promise to invoke a sense of greed and curiosity. Luring victims into a trap, criminals steal their personal information or inflict their systems with malware.
A quid pro quo attack is a type of baiting. However, unlike baiting, when attackers try to get their victims to fall for something out of their curiosity, quid pro quo offers users something in return. In other words, quid pro quo may be interpreted as “a favor for a favor.” Generally, quid pro quo is not the final component of the attack. Attackers usually use it as a gateway to access the organization’s system. The Microsoft and Okta data breach case demonstrated the classic example of an attack when the quid pro quo served as the gateway. The attackers used this social engineering tactic to access the organizations’ networks to gather employees, help desk, and supply chain information. Attackers contacted one of Okta’s employees and then tricked them into providing sensitive information in exchange for money or other promises. More on this read in one of our previous articles Exploring the New Attack Approaches. The Case of Microsoft and Okta.
Detecting a social engineering attack in progress is not enough to keep your business safe. You need to be proactive and know how to prevent the attack. There are some distinct ways to protect against all types of cyberattacks, and social engineering attacks are not an exclusion. These include using multi-factor authentication (MFA), strong passwords, access controls, etc. An extensive list of does and don’ts when it is going about social engineering you will find in our next blog post.
Modern hackers are not only skilled tech geeks but strategists, managers, and even psychologists. By applying social engineering techniques, criminals trick technological systems and lure people’s emotions. Hackers know from whom you may be expecting an email, what information is important for you, and what are your major fears. Thereby, the attacks are becoming even more dangerous, while their consequences are devastating.
#SeeYourSelfInCyber and watch out for any suspicious activities on your device. Feel free to contact Planet 9 if you have any questions. We’ll be happy to assist!