The Human Element of Security

Let's talk about the human element of security, specifically the role of trickery and deceit. Attackers can use human nature to trick a target into giving up valuable information, allowing access to a restricted area or transferring funds or getting information. Attacks can come with threats or rewards and often seem like they're really urgent. There's always, "you've got to do this now!" And most people want to be helpful and responsive. The problem is attackers know this. Sometimes also what they'll use is pre-attack reconnaissance or information gathering. This is pretty common because it's a way to get information to use later to make the real attack look more convincing. Just because information doesn't seem especially sensitive in context, doesn't mean an attacker can't use it elsewhere. For example, let's say your office's staff or a colleague tells a caller that you're on vacation during a given week.

 

That caller may then send a fake email allegedly "from you" that week to wire out funds to pay an invoice that doesn't exist. Of course it will be difficult or impossible to confirm with you what happened because you're not in the office. And invariably that'll be an, "oh, we've got to pay this by the end of the day for [insert crazy reason to rush here]." This type of attack is called social engineering and it comes in a number of flavors. These are scams and attacks that you, your colleagues or anyone you know, can encounter on any given day. Attackers will often use human nature like I say, to get in for the attack because, at the end of the day, using a complicated technical attack sounds great, but it's complicated. When you're going through people, it's the path of least resistance. So instead of using software to figure out a tricky password, you can just trick someone into giving it to you.

 

It's a lot easier. So just quickly, the way these attacks come - and we'll cover these in a bit more detail in future segments here - via email, there's what's called a phishing attack. That's a mass email campaign that will typically try to trick users into opening an infected attachment, clicking on an infected weblink and/or giving up personal and/or organizational information. A related concept is something called a W-2 scam where they're trying to get employee information. This has hit some pretty sizeable companies including Seagate Technologies, Snap (at that time called Snapchat) and a large respected law firm called Proskauer Rose. A related concept is something called spear phishing, which usually will be personalized so it looks more likely to be something that you would want to open and use. There's another one called a BEC, or business email compromise scam, which is wire transfer fraud involving sometimes fake vendors or senior office personnel trying to get you to pay invoices to them instead of where they're supposed to go or sending out fake wires.

 

We'll cover that one in more detail in a little bit. That can also target home buyers through real estate transactions. Also, something we'll go into detail on. Keep in mind with any of these attacks, they don't have to come via email. They can come via a text message just as easily. That's referred to as smishing, which is because the proper name for text messaging is short message service. Hence, smishing. They can come via instant message or they can come via any social network. There are also some weird variants. Believe it or not, they can be web based. You could actually run into literal romance scams that can be on Ashley Madison, OkCupid, Facebook, etc., where someone pretends to be involved with you and then suddenly they've got compromising pictures and "well, if you give us this data, we won't publish it." That kind of thing.

 

Phone calls can come in a few different varieties. Tech support phone calls are pretty frequent, where it's someone pretending to be from Microsoft or another tech support agency and asks for access to your computer. This is always bad. We'll talk about how to deal with these in a little bit. Fake invoices - there was a dental practice out in California which reported that it received a couple of calls pretending to be from Pacific Gas and Electric saying, oh, well, you know, if you don't pay your utility bill by the end of the day, we're going to have to shut off your power. And for people who weren't trained in knowing what was coming, this was pretty scary. And of course if you do pay it, you're not paying the utility company, you're paying the scammers. So, bad. Fake invoices and overdue bills; both are the little varieties on this. And if it hasn't happened to you, you've probably heard of someone it's happened to: a fake call from "the IRS" threatening tax penalties if you don't pay your taxes right away. Let's just say they're all garbage. That's the most polite term I can give for you. Another concept is something called baiting, which is where something is left for you to take and plug into your system. Why in the world would you do this? Because it'll often be labeled something tempting, like it'll say something like "staff reductions" and maybe the next month or "office compensation" and the current year, that kind of thing. So that way naturally you're going to be curious and you wouldn't want to turn it over because then you won't get see what's on it. That's how the attack works. The idea is it gets you to plug it in and we mentioned earlier that malware can come in by connecting external media, like a stick drive or a disc, into the system, which then loads the malware.

 

Also what can work is something called in-person social engineering. Typically this is pretexting. This is someone who actually shows up with a reason to be in the office, which sounds legit but isn't. This could be something like once again like an IT professional looking to work on the systems, a building inspector, that kind of thing. One thing to realize just overall with any type of social engineering is that these attacks are always dynamic. What I mean by that is that they're always changing. There's no one set of rules which they always follow. The only rule is trick you. Now, the biggest risk of all as a result comes from the assumption that we will be able to spot them when they happen. Because everybody will fall for one of these attacks at one time or another. I certainly have. What can you do to avoid falling for one of the scams?

 

For starters, always assume a call, email, text, whatever it is fake until you're given a convincing reason to think otherwise. If an email does come from a company or person you know but doesn't quite seem right, call the sender directly. Don't use a number that's in the email because that's often going to be fake and lead to the scammers who say, "yeah, of course we're legit." No. And if there's actually links in the email, it's always a good idea before you click on anything - if you're on a laptop or desktop - hover over it with your cursor because then on the lower left of the screen there'll be a representation of where it actually goes. And if it doesn't match what it says, that's a red flag for you. Don't click. Now it's critical also to have secure procedures for any financial transactions.

 

That means direct what are called out of band confirmation with any vendors, senior personnel, etc., requesting wire transfers or changes to any financial routing information. What I mean by out of band is however you're contacted, make sure you contact them using a different method. So let's say it's someone you know, again, you'd pick up the phone. You don't use the number in the email, you call them up. If it's someone in your office and they're looking to send something out, you know, walk over to the office and ask. Look, anytime you're going to get a request for speed and secrecy, regardless of the reason, that's a pretty big red flag. And if you believe your office may have been targeted, contact your financial institution and law enforcement right away. Also helpful here is security awareness training. Employees, including dentists, should know how to recognize suspicious communications, how to identify people who should not be in the office space as well as what steps to take in response and what information should or should not be given to a caller. Secure repeatable procedures are critical. It's why you want to make sure people are trained on them and you want to write them down. And again, if you've been victimized, don't hesitate to contact law enforcement. You want to start with the FBI and Secret Service because they tend to deal with a lot of cyber based crimes.

Social engineering

  • Attackers using human nature to trick a target into giving up valuable information, allowing access to a restricted area or transferring funds

These attacks can come via:

  • Email: phishing, spear phishing and BEC (Business Email Compromise) scams
  • The Web: romance and “work from home” scams
  • Phone calls: “tech support,” fake invoices, “overdue bills,” “IRS tax penalties”
  • Baiting
  • In person social engineering: pretexting and tailgating

These attacks are never set in stone – they can always change.

What can you do to avoid falling for one of the scams?

  • Always assume the call, email, etc. is fake until you’re given a convincing reason to think otherwise
  • If an email comes from a company or person you know, call the sender directly
  • Hover over a link with your cursor to see where it actually goes

It’s critical to have secure (and easily repeatable) procedures for any financial transactions.

Don’t hesitate to contact law enforcement (and your financial institution) if your office has been victimized.