Deception and Social Engineering

Attackers use “social engineering” to trick their victims into allowing unauthorized system access, data theft and even specialized stealthy attacks used to quietly steal massive amounts of sensitive data over time.5 These attacks frequently exploit our natural tendency to want to help others. They can be in person, electronic or over the telephone and there are a variety of ways they can be used to take advantage of you:

“Phishing” attacks are designed to steal your personal, financial and/or log in information through an email, text message (referred to as “smishing”) or even an automated phone call (“vishing”). The proper name for text messaging is “short message service” or SMS, hence SMiShing. These attacks often appear to come from well-known and trusted companies like banks, airlines or industry groups and contain attachments and/or links to websites that look legitimate, but are really there to steal account log in information or host malware ready to attack the recipient’s computer as soon as he or she clicks on any of the links. These emails and messages can also be used to lure victims into contact with scam artists posing as colleagues or vendors.6,7

Phising text message
A “smishing” attack is effectively a phishing email delivered via text message. It can contain links and/or phone numbers. As soon as the recipient clicks or calls, the attack begins.
Image source: SeattlePI.com.8

A spear phishing email is a personalized version of a phishing attack aimed at a specific target (rather than a general phishing email intended to ensnare whoever falls for it). It typically includes personal and/or professional information to make the recipient trust the sender. These details can come from online sources like LinkedIn, Facebook and other social networks and information available via business-related websites, as well as particulars obtained directly from coworkers via social engineering.

In addition to these details, emails like this often appear to come from a familiar source like a friend, family member, colleague or a business you deal with regularly. This is possible because a sender’s name and/or email address can be altered to appear as though the message is coming from someone else. Likewise, a different phone number can be made to show up on a call recipient’s caller ID. This process is called “spoofing.”

Whaling is an attack that deliberately targets the high-ranking people within a business. The idea behind this approach is these targets are “big fish” within the organization who have wide access within the network yet may not take the precautions needed to keep their own accounts secure.

Pretexting is effectively in-person phishing to gain information and/or access to a restricted area. The term “pretexting” refers to the set up used to convince the target there is a justifiable reason (or pretext) to divulge the information or access the person is after. These attacks can take a wide variety of forms often revolving around someone (or a team) creating a distraction and/or masquerading as someone who could have legitimate access to the system they’re targeting. It could be someone who claims to be from a vendor or a contractor, fake IT personnel or something as random as a “fire inspector” allegedly checking the office for imagined safety hazards while an assistant/accomplice surreptitiously places devices to monitor and/or siphon sensitive data from the victim network.

Live social engineering attacks can also come by phone, such as fake “technical support” calls offering to fix imaginary problems with your computer if you will just allow the caller to briefly take control of it remotely. These are always scams. Whether at your office or at home, never allow someone who initiates contact with you to take remote control of your computer. Ever.

Baiting is a type of attack in which a piece of portable electronic storage media like a CD-ROM, laptop or USB stick drive is left at or close to the target’s workplace in order to tempt the curious victim into seeing what’s on it. These will often include an official-looking logo or markings to make them especially tempting to look at. How curious would you be to look at something labeled “Partner Compensation – 2015” (with your organization’s logo on it)? In effect, the CD, stick drive, etc. is the worm on the fishhook. You’re the fish. Of course, once the CD, laptop or stick drive is connected, it will quietly download malware onto the network. And yes, this initial intrusion into the network will likely be traceable back to you.

What can you do to avoid falling for a social engineering attack? The one thing these attacks all have in common is they rely on you to go along with the story they’re selling. The single best thing you can do whenever you receive an unsolicited electronic message or call from a business or someone you don’t know personally is to assume it’s fake. Never click on links, open attachments, call phone numbers, or use any other method of contact contained in any unsolicited emails, texts or calls. If you think the email, etc. could possibly be legitimate, contact the alleged sender directly via phone or their official website. Again, don’t use any numbers or links contained in the email, text, etc. sent to you.

Learn to recognize (and avoid) phishing emails. Phishing attacks are generally designed to make you take action by either frightening or tempting you. The attempt to scare you may be something like a problem with the delivery of an important-sounding package, an IRS question regarding your tax bill, or a “problem” with an online bank account. In the case of a bank, the phishing attempt may claim your account has been frozen and you have to enter your log in information to fix the problem. Another type of attack claims your account has been compromised and your log in information is needed to secure the account. Needless to say, the email itself is the real threat. These emails can look very convincing, but they are still fake. Their real intent is to trick you into entering your personal or log in information, clicking on a link for an infected website or opening a malware-laden attachment. If you do click on a link in a phishing email, you will often be taken to a website that looks real, but is only there to steal your account and log in information. Often, by the time you realize what’s happened, the thieves have already emptied your account.

Even if an email appears to be from someone you know, keep in mind the sender’s address can be faked. If the message appears out of character or strange in any way, give the sender a call to see if it really came from them. And of course, if an email allegedly from someone you know somehow winds up in your spam folder that’s a red flag-and-a-half something’s wrong.

In addition to your own common sense, an effective defense against phishing and spear-phishing attacks is a well thought out office procedure. An example of this might be no disclosure of PHI or wire transfers without a confirmation phone call to a number verified outside the initial point of contact (i.e., don’t just call the number in the email asking for the information and don’t assume that a caller you don’t know is actually from where he or she claims to be).

Extra risk for smartphones. Phishing emails can be particularly dangerous to deal with on smartphones and other mobile devices. On a desktop or laptop computer, you can hover over a link with your mouse (without clicking on it) to see where that link actually goes – it will appear on the lower left of your browser window. Mobile devices typically do not allow for this sort of “preview” of a link and the address bar indicating which site you are actually on is often hidden off-screen to maximize the available viewing area.

Responding to in-person deception. When someone asks you to help him or her access something – or someplace – restricted, ask yourself why he or she needs your help. Also, it never hurts to take a moment to check out the story you’re given. A quick phone call (not using a number he or she gives you) can derail a social engineering attack before it starts.

Don’t fall for the baiting attack. Tempting though it may be, opening that conveniently abandoned stick drive, etc. yourself is a bad idea. If you have dedicated security or IT personnel, take it to them and definitely tell your office manager. That way he or she can get the word out so someone else in the office doesn’t fall for it.

Speaking of, an IT department can (and should) take steps to help protect a network from electronic intruders, including the installation of network security software, but don’t forget the first line of defense against a social engineering attack is you.