It’s Friday afternoon and your work week is quickly coming to an end. 45 minutes left before your weekend can begin! Suddenly you receive an email from HR asking you to agree and sign an acceptable use policy attachment. Why did they send it on a Friday, of all days, you ask yourself? Anyway, you sign and email the form back. On your way out you pass an HR employee and mention the form being sent back to them and tell them to have a great weekend. They look at you puzzled but still tell you to have a great weekend as well. You come back the following week to the news that the company had been compromised over the weekend and everyone is in panic mode. You hear that emails with malicious attachments were sent out to the company employees. You remember the form from HR and quickly realize you fell for this phishing scam.
Cybercrime would not be as successful without social engineering. Phishing can be extremely successful to help create security breaches. According to cybercrime expert Brett Johnson, who began his career on the dark side of cybersecurity, 92% of every security breach begins with a phishing attack[i]. Why would an attacker waste time struggling to penetrate a network through a firewall when they can just send an email to an employee behind the firewall and gain the exact same access? Social engineering attacks tend to rise with national or global issues as well. Since Covid-19, social engineering attempts have risen 667%. That also raises the number of people that fall for attacks related to the pandemic.
There are many different types of social engineering techniques that cybercriminals may use. The following are examples of ways that attackers can manipulate employees into divulging sensitive information or performing actions to help in cyber-attacks.
Phishing
There are many types of social engineering. The most common is phishing in which scammers send emails from legitimate businesses. You may be asked to click a link to change your password because of suspicious login attempts to your account. That login information that is provided to the recipient can be used in a program that plugs those credentials into many well-known websites to gain access to personal or business accounts. They can also trick you into downloading a document like the example above. That document can contain a malicious virus that the attackers can use to gain access to a company’s network and possibly hold sensitive information for ransom.
Spear Phishing
Spear phishing focuses the attack on targeted employees of a company. The email sender pretends to be a known employee of the company to gain your trust and convince you to divulge information, extract currency, or infect the entire company with malicious software.
Vishing
Vishing is social engineering performed through phone calls. Attackers call employees impersonating a phone company or network company to gain any information possible to advance in their malicious activities. This type of information gathered is known as the reconnaissance phase of an attack. The attackers use this information as a foot hold to focus on where and how the attacker can proceed in their attack.
In-Person
Another form of social engineering attack can be performed in-person. An example would be an attacker pretends to be a phone company employee or Internet service provider employee in order to gain physical access to restricted areas. Possibly even just gain information as reconnaissance for other malicious attacks.
Dumpster Diving
Dumpster diving is an attack where the malicious actor rifles through garbage bags left in dumpsters or trash cans to look for any sensitive information. This information can be used to perform malicious attacks on individuals or as reconnaissance information used for a future planned out malicious attack.
Fortunately, there are ways to combat these types of social engineering attempts. At Vala Secure we offer services to create cyber security awareness for employees. We create phishing campaigns to improve employees’ knowledge of email scams. They are tested through these emails to gain awareness of what to look for. Vala Secure also offers services to build awareness with vishing so that employees are aware of verifying who they are giving information to over the phone. In-person social engineering is also offered to test company employees and create knowledge of what to look for when someone is physically impersonating anyone that might ask for access to secure areas or try to extract any information for reconnaissance purposes. The last service that Vala Secure offers is a physical dumpster dive where garbage is searched through for any sensitive information. This gives employees awareness of what information is thrown away and what should be shredded or securely stored.
Vala Secure social engineering services are a great way to keep your company aware of how to securely handle sensitive information. Visit Vala Secure’s website at valasecure.com or call us at 972-429-8200 for more information on these services to keep your company safe from possible security breaches.
[i] Interview: Brett Johnson, ‘Original Internet Godfather’
https://www.infosecurity-magazine.com/interviews/rois-brett-johnson/
