What Is Social Engineering? What Are Different Types Of Social Engineering Attacks?
Social engineering is the art of manipulating people so they give up confidential information. The types of information these criminals are seeking can vary, but when individuals are targeted the criminals are usually trying to trick you into giving them your passwords or bank information, or access your computer to secretly install malicious software–that will give them access to your passwords and bank information as well as giving them control over your computer.
Criminals use social engineering tactics because it is usually easier to exploit your natural inclination to trust than it is to discover ways to hack your software. For example, it is much easier to fool someone into giving you their password than it is for you to try hacking their password (unless the password is really weak).
Security is all about knowing who and what to trust. Knowing when, and when not to, to take a person at their word; when to trust that the person you are communicating with is indeed the person you think you are communicating with; when to trust that a website is or isn’t legitimate; when to trust that the person on the phone is or isn’t legitimate; when providing your information is or isn’t a good idea.
Ask any security professional and they will tell you that the weakest link in the security chain is the human who accepts a person or scenario at face value. It doesn’t matter how many locks and deadbolts are on your doors and windows, or if have guard dogs, alarm systems, floodlights, fences with barbed wire, and armed security personnel; if you trust the person at the gate who says he is the pizza delivery guy and you let him in without first checking to see if he is legitimate you are completely exposed to whatever risk he represents.
Common social engineering attacks
Email from a friend. If a criminal manages to hack or socially engineer one person’s email password they have access to that person’s contact list–and because most people use one password everywhere, they probably have access to that person’s social networking contacts as well.
Once the criminal has that email account under their control, they send emails to all the person’s contacts or leave messages on all their friend’s social pages, and possibly on the pages of the person’s friend’s friends.
These messages may use your trust and curiosity:
- Contain a link that you just have to check out–and because the link comes from a friend and you’re curious, you’ll trust the link and click–and be infected with malware so the criminal can take over your machine and collect your contacts info and deceive them just like you were deceived.
- Contain a download–pictures, music, movie, document, etc., that has malicious software embedded. If you download–which you are likely to do since you think it is from your friend–you become infected. Now, the criminal has access to your machine, email account, social network accounts and contacts, and the attack spreads to everyone you know. And on, and on.
These messages may create a compelling story or pretext:
- Urgently ask for your help–your ’friend’ is stuck in country X, has been robbed, beaten, and is in the hospital. They need you to send money so they can get home and they tell you how to send the money to the criminal.
- Asks you to donate to their charitable fundraiser, or some other cause – with instructions on how to send the money to the criminal.
Phishing attempts. Typically, a phisher sends an e-mail, IM, comment, or text message that appears to come from a legitimate, popular company, bank, school, or institution.
These messages usually have a scenario or story:
- The message may explain there is a problem that requires you to “verify” of information by clicking on the displayed link and providing information in their form. The link location may look very legitimate with all the right logos, and content (in fact, the criminals may have copied the exact format and content of the legitimate site). Because everything looks legitimate, you trust the email and the phony site and provide whatever information the crook is asking for. These types of phishing scams often include a warning of what will happen if you fail to act soon, because criminals know that if they can get you to act before you think, you’re more likely to fall for their phish.
- The message may notify you that you’re a ’winner’. Maybe the email claims to be from a lottery, or a dead relative, or the millionth person to click on their site, etc. In order to give you your ’winnings’ you have to provide information about your bank routing so they know how to send it to you, or give your address and phone number so they can send the prize, and you may also be asked to prove who you are often including your Social Security Number. These are the ’greed phishes’ where even if the story pretext is thin, people want what is offered and fall for it by giving away their information, then having their bank account emptied, and identity stolen.
- The message may ask for help. Preying on kindness and generosity, these phishes ask for aid or support for whatever disaster, political campaign, or charity is hot at the moment.
Baiting scenarios. These socially engineering schemes know that if you dangle something people want, many people will take the bait. These schemes are often found on Peer-to-Peer sites offering a download of something like a hot new movie, or music. But the schemes are also found on social networking sites, malicious websites you find through search results, and so on.
Or, the scheme may show up as an amazingly great deal on classified sites, auction sites, etc.. To allay your suspicion, you can see the seller has a good rating (all planned and crafted ahead of time).
People who take the bait may be infected with malicious software that can generate any number of new exploits against themselves and their contacts, may lose their money without receiving their purchased item, and, if they were foolish enough to pay with a check, may find their bank account empty.
Response to a question you never had. Criminals may pretend to be responding to your ’request for help’ from a company while also offering more help. They pick companies that millions of people use like a software company or bank. If you don’t use the product or service, you will ignore the email, phone call, or message, but if you do happen to use the service, there is a good chance you will respond because you probably do want help with a problem.
For example, even though you know you didn’t originally ask a question you probably a problem with your computer’s operating system and you seize on this opportunity to get it fixed. For free! The moment you respond you have bought the crook’s story, given them your trust and opened yourself up for exploitation.
The representative, who is actually a criminal, will need to ’authenticate you’, have you log into ’their system’ or, have you log into your computer and either give them remote access to your computer so they can ’fix’ it for you, or tell you the commands so you can fix it yourself with their help–where some of the commands they tell you to enter will open a way for the criminal to get back into your computer later.
Creating distrust. Some social engineering, is all about creating distrust, or starting conflicts; these are often carried out by people you know and who are angry with you, but it is also done by nasty people just trying to wreak havoc, people who want to first create distrust in your mind about others so they can then step in as a hero and gain your trust, or by extortionists who want to manipulate information and then threaten you with disclosure.
This form of social engineering often begins by gaining access to an email account or other communication account on an IM client, social network, chat, forum, etc. They accomplish this either by hacking, social engineering, or simply guessing really weak passwords.
- The malicious person may then alter sensitive or private communications (including images and audio) using basic editing techniques and forwards these to other people to create drama, distrust, embarrassment, etc. They may make it look like it was accidentally sent, or appear like they are letting you know what is ’really’ going on.
- Alternatively, they may use the altered material to extort money either from the person they hacked, or from the supposed recipient.
There are literally thousands of variations to social engineering attacks. The only limit to the number of ways they can socially engineer users through this kind of exploit is the criminal’s imagination. And you may experience multiple forms of exploits in a single attack. Then the criminal is likely to sell your information to others so they too can run their exploits against you, your friends, your friends’ friends, and so on as criminals leverage people’s misplaced trust.
Don’t become a victim
- Slow down. Spammers want you to act first and think later. If the message conveys a sense of urgency, or uses high-pressure sales tactics be skeptical; never let their urgency influence your careful review.
- Research the facts. Be suspicious of any unsolicited messages. If the email looks like it is from a company you use, do your own research. Use a search engine to go to the real company’s site, or a phone directory to find their phone number.
- Delete any request for financial information or passwords. If you get asked to reply to a message with personal information, it’s a scam.
- Reject requests for help or offers of help. Legitimate companies and organizations do not contact you to provide help. If you did not specifically request assistance from the sender, consider any offer to ’help’ restore credit scores, refinance a home, answer your question, etc., a scam. Similarly, if you receive a request for help from a charity or organization that you do not have a relationship with, delete it. To give, seek out reputable charitable organizations on your own to avoid falling for a scam.
- Don’t let a link in control of where you land. Stay in control by finding the website yourself using a search engine to be sure you land where you intend to land. Hovering over links in email will show the actual URL at the bottom, but a good fake can still steer you wrong.
Curiosity leads to careless clicking–if you don’t know what the email is about, clicking links is a poor choice. Similarly, never use phone numbers from the email; it is easy for a scammer to pretend you’re talking to a bank teller.
- Email hijacking is rampant. Hackers, spammers, and social engineerers taking over control of people’s email accounts (and other communication accounts) has become rampant. Once they control someone’s email account they prey on the trust of all the person’s contacts. Even when the sender appears to be someone you know, if you aren’t expecting an email with a link or attachment check with your friend before opening links or downloading.
- Beware of any download. If you don’t know the sender personally AND expect a file from them, downloading anything is a mistake.
- Foreign offers are fake. If you receive email from a foreign lottery or sweepstakes, money from an unknown relative, or requests to transfer funds from a foreign country for a share of the money it is guaranteed to be a scam.
- Set your spam filters to high. Every email program has spam filters. To find yours, look under your settings options, and set these high–just remember to check your spam folder periodically to see if legitimate email has been accidentally trapped there. You can also search for a step-by-step guide to setting your spam filters by searching on the name of your email provider plus the phrase ’spam filters’.
- Secure your computing devices. Install anti-virus software, firewalls, email filters and keep these up-to-date. Set your operating system to automatically update, and if your smartphone doesn’t automatically update, manually update it whenever you receive a notice to do so. Use an anti-phishing tool offered by your web browser or third party to alert you to risks.
So What Is Social Engineering?
Wondering what is social engineering? It’s a term that covers a variety of social engineering attacks — each of which you’ll read about below — that are geared towards attacking humans or a group of humans in order to obtain information or data for malicious use. Keep reading to learn more social engineering examples…
What is a Social Engineering Attack?
A social engineering attack is an orchestrated campaign against employees at either a variety of companies or one high valued business using a variety of digital, in-person or over the phone techniques to steal intellectual property, credentials or money.
Aren’t There More Efficient Ways than Social Engineering?
Hackers prefer social engineering because it’s much easier to hack a human than a business. Social engineering attacks allow the hacker to combine multiple efforts and even cover their tracks, because they can use the human to take money or install malware under their persona.
According to Nick Espinosa, CIO at BSSi2 where they do white hat hacking for their clients, “a [social engineering target] can either get [the hacker] access to the network by the [target] validating their malicious software or by actually having the person do the work for them.”
This problem is growing and our goal is to arm you against these attacks. With this list of social engineering attacks, you can educate your users and help them avoid falling for the insanely easy social engineering attacks that result in major security breaches. We’ve also included some ethical hacking ideas so you can test your users.
You might think this hack is obvious and even your best users can shut this one down, but here’s how the best social engineers use this tactic:
The social engineer will create an email address that looks like a C-level executive in your business. Maybe they nab a fake domain that looks like yours, too. For instance, firstname.lastname@example.org (a fake domain that looks like ours) would get my attention, especially if they put John Hurley (our CEO) as the “from” name.
How would the social engineer know the name of my CEO? According to Nick Espinosa, they’ll do what’s called a “Harvest Scan,” where they do everything from port scanning to IP address lookup to Google stalking to email address verification.
The hacker targets the people with direct or indirect ties to their victim. They then monitor to see when the target will be out of the office in order to best execute their attack.
If the hacker wants to install malware, they’ll execute a social engineering attack like the example above in order to get access to a computer. However, if the hacker wants money, they’ll write a message like:
Tommy, we just landed a large deal with a company in Beijing and they’re going to be supplying us with X so we can be more cost effective at building widgets. Please send $10 million to the following bank account on my authority. I’ll be back on Monday as planned to fill you in.”
These examples play on many human faults — known most commonly as “emotions” — to get me or “Tommy” to take action. That’s why I picked this tactic first, because many of these hacks use emotions and relationships to get us to hastily take action. In the data example, it uses a mobile phone signature which caused me to look past his missing email signature. All the attacker needed to know was the relationship, which a quick LinkedIn search can show. From there, he launches the attack. In the money-based attack, the hacker’s message would come from an email as well.
STOP THE HACKER: Identifying Fake Personas
According to Bruce Campbell, V.P., Clare Computer Solutions, “If someone spoofs an email that seems to be coming from someone you know, you can get a feel for an email that doesn’t feel right. Occasionally, I’ll get an email from a good friend that just says, ‘Check this out – this is hilarious and has a link.’ I never click the link. I call the friend and say, did you send me an email?”
Nick Espinosa had another idea as well — and it’s easy and nearly impossible to break. Have C-level executives and their staff handle any money or data exchange with a verbal password between themselves to verify who they are. If the CEO heads out for a conference, he can instruct the controller that anything financial will need the verbal password they established.
If the CEO emails the controller wanting to transfer $10 million, he can text them afterward with the password. This is a simple two-factor authentication method. You should rotate the password in case the C-level executive’s phone gets compromised in a social engineering attack.
The hacker commits (or pretends to commit) a low-level attack against an individual. Maybe the hacker gets the user to download an attachment, as in our first social engineering tactic. Maybe the hacker lied. Regardless, the hacker informs the user that that they will lose their job and face legal ramifications if they don’t follow their instructions.
These attacks can be targeted or sent en masse. Per Robert Siciliano, Identity Theft Expert at BestIDTheftCompanys, if the hacker doesn’t have true access, he will send out an email to thousands of people, hoping to land just one or two. In that email, the hacker communicates that the user has been hacked and needs to follow their instructions to prevent any consequences. Alternatively, they’ll send the malicious software (often ransomware in this case) and follow up later.
You’ll be familiar with this one. The hacker fakes an IT help desk account, mimics your brand look, and even purchases a domain like your own. They offer a password reset form, complete with an old password field — which is what the hacker needs to gain entry into the account. They will use this to access the network or the person’s machine in order to go deeper into the network.
Network access isn’t the only target of phishing attacks though. Occasionally, they target organizations that use credit cards. According to Drew Parrish, Help Desk Specialist at Wabash College, social engineers have used “spear-phishing” to target faculty with purchasing power. These phishing attacks would often be bank-based, even going as far as to use the bank’s official logo, web layout and name in the domain.
STOP THE HACKER: Dealing with Phishing
Phishing is the social engineer’s oldest and most reliable tool, because it works. It’s a social engineering attack that relies on deception. Here’s how your users can avoid it, courtesy of Joe Palko, VP at American Eagle:
- Check the Domain on Your Phone and Desktop
- Many phishing attacks originate with hackers trying to pretend that their phishing website is an original corporate website. For example, if you are on the Chase website, the URL is going to be www.chase.com. A phishing website will do something like www.chase.bankonlinenow.com.
- Look for the SSL on Desktop and Mobile
- Always look to make sure the site is transmitting in SSL. There will be a green lock in the URL where you can click or tap the lock and see the security certificate for the website, and make sure it matches the name of the company you are visiting.
- When Using Social Media, Limit Surveys and Games
- Unless you are sure the source is reliable, do not take a survey or play any games on social. Many phishing attempts are disguised as games or surveys that require you to log in with Facebook.
In addition, penetration testing goes a long way. Drew Parrish mentioned that Wabash College sent out blatantly obvious phishing emails with “ridiculous email addresses and links to click.” After a year of testing, click-through rates dropped nearly 100% on the harmful links. They’ve informed users through email and a lunch-and-learn and that they should forward all questionable emails to the help desk.
4. The Friendly Hacker
For this hack, the social engineer compromises someone’s email or social media account. Their goal is to extend their reach, so they will look at recent messages that the user has sent. Often, the initial target isn’t the final target, especially if the final target has a strong security background.
If any links or documents have been sent, the hacker might follow up saying they’ve updated it or found something similar. For instance, if targets exchanged PDFs, the hacker could send a newly updated version with malicious code.
If the hacker can’t find any way to attack their final target with the initial account, they might look for mutual friends and try to repeat the process again.
STOP THE HACKER: Simple Goes a Long Way
According to Bruce Harmon, Dean of the College of Engineering at Colorado Technical University, keeping it simple goes a long way when defending against social engineering attacks:
“The best defense against these kinds of attacks is to educate the users to avoid giving information to persons not verified as acting as legitimate agents of the company and to avoid opening attachments or clicking on links that are suspicious or have been provided by persons unknown to the user. Err on the side of safety. Even someone known to you may unwittingly provide a harmful link.”
5. Vendor Scams for API Keys
Here the hacker is trying to get your API key for a particular product. Again, they will perform a harvest scan to find some tracking codes on your website and then message you from one of those organizations. From here, they’ll inform you via a seemingly standard automated email that your API key needs to be reset and to follow their link to reset it.
At this point, they create a phishing site, but instead of asking for a username or password, they request your API key. They will then either give you a new API key (that won’t work) or tell you to try again later, while reminding them that your current API key will work in the time being. Why target the API key? According to Travis Cunningham, a Software Engineer for SmartFile, “An API key is like a username/password. If someone has your API key, they can do anything on behalf of you, just as if they had your username/password.”
The level of control they gain depends on the tool they are mimicking. If they store any kind of data, even a few minutes of access could lead to a major breach. If you are ever worried about the integrity of your API key, Cunningham says to revoke the key as soon as possible to prevent unauthorized use.
A SHARABLE SOCIAL ENGINEERING TACTICS INFOGRAPHIC FOR MANAGEMENT & USERS
Give management and your users a quick and easy graphic about these social engineering attacks. Fill out the form and we’ll send you our infographic plus some other tips for stopping hackers!
Typosquatting is very similar to a phishing attack, but the hacker doesn’t reach out to the victim directly. Instead they sit on a similar domain and wait. Usually the domain is only a character or two off of the main brand’s domain. The hacker buys domain names and squats on them, matching a brand’s look and feel. When a user fills out a form, they will use the login credentials to cause harm.
If the site typically has a download, they can include malware with the executable file. This can include “scareware,” which uses popups and notifications on the target’s computer to require payment for access to the program. Once the user fills out the form, they have the user’s credit card information. So now, the hacker has access to the computer through the malware program, access to their account with their username and password, and access to their credit card information.
7. Device Leave Behind
This is often combined with the common piggyback or cable guy technique. The hacker leaves a USB drive, CD-RW, phone or other storage device around an office and writes a tempting label on it, like salary information or a famous musician (if it’s a CD). Often times, if someone finds a USB drive, they’ll just start to use it on their own.
To make sure the user thinks the storage device is legit, the hacker might place music files on there, along with other files on the storage device that sound enticing to click (for instance “XYZ Company Salary Records.xlsx”). Once accessed, the malicious code is launched.
If the hacker is using a USB-based device, he can take over your entire machine, even if you disable auto-run. Essentially, your computer sees the USB device as a keyboard. Sound crazy? Watch the hack as it happens:
8. Malware Piggyback
The hacker takes advantage of a big security breach or piece of malware floating around. Then they either execute a social media newsjacking attack, like we’ll discuss in #9, or an email file attachment like in #1.
The goal is to provide a link to a harmful file that claims to be a report of their findings on your site or a general report they send to you as a courtesy. Once the file is downloaded and accessed, they hacker’s malicious code is executed.
STOP THE HACKER: 4 Steps to Transform Human Behavior
Jack P. Healy (CPA/CFF, CFE), a Managing Director at Bear Hill Advisory Group, LLC, shares 4 ways you can transform human behavior when it comes to social engineering attacks:
- Provide feedback to associates on known tendencies
- Provide more education
“Many companies stop at #1. But there are organizations that can test your associates’ Social Engineering (Fraud IQ) by sending test emails. The testers will then send emails to your staff and provide you with reports on which staff opened the SE email. This is to point to additional training.”
9. Social Media Based Phishing
I wanted to separate this out because it can cover several different types of attacks.
In our first example, the hacker either builds a news brand that looks legit or mimics the target company’s site and brand. From here, they perform “newsjacking,” where they retweet or use a hashtag to join a conversation. The hacker then piggybacks on high profile stories surrounding their targets and push out a link to a phishing site where they can get users to take actions that might compromise their login or other information.
In our second example, the hacker gains access into your account and sends out shared links to surveys and games to your friends. In addition, they may take a more relationship-based approach and follow up on existing messages with your friends, who are their ultimate targets, offering them a link to a phishing site.
Finally, on professional social media sites like Linkedin, a hacker will pretend to be a recruiter for a company. They’ll send you a private message and inform you about a position at a well respected company that sounds incredible. They’ll send you to a phishing employment site, where they gather a bunch of information, and require your social security number for background check purposes. At this point, they can do just about anything with your information.
Social media is an easy way for hackers to go phishing for unsuspecting users, and it’s becoming more prevalent because there are so many attack methods. It deserves its own section so you can make sure your scam shields are up, even when you’re communicating with friends and quality brands online.
10. Neuro-Linguistic Programming (NLP)
This is a social engineering tactic you’ll sometimes see salespeople perform to get clients to like them. Social engineers use it in the same way. Once the hacker gets physically close to the target, the hacker will match the voice, tone and body language of their victim.
Per Daniel Smith of Radware, social engineers that “[mirror their target’s] body language, breathing rate, voice and vocabulary will begin to build a connection on a subconscious level with the target. The hacker can change the mood of the conversation subconsciously by changing your body language, breathing rate, voice and vocabulary to reflect thoughts and images that strike the desired emotion. By anchoring and reframing, the hacker is able to passively control the conversation and emotions of your target, allowing them to further direct the conversation to what they’re after: information.”
NLP helps social engineers build a rapport with the target and subtly steer the conversation. To top it off, the hacker will use industry or company jargon to help close the deal and get the info they need. This helps make them seem like an authority.
At this point, the social engineer can simply try to bribe, threaten or even straight up solicit information from their target.
STOP THE HACKER: Defending NLP-based Social Engineering Attacks
NLP based social engineering tactics are notoriously hard to stop — because they feel natural. Here are a few ways to spot NLP-based tactics (you might get some false positives though, so be patient):
- Know Your Body Language Quirks
- Do you do something a bit out of the ordinary? Maybe you cross your arms a certain way or speak fast. If you notice someone in a conversation matching these tendencies, be wary of their motives. Sometimes this happens naturally, other times it’s for their gain in some way.
- Can’t Touch This
- If people touch you, especially in the United States where touch is uncommon, with the exception of friends and close family, be on alert for suspicious activity.
- Listen for Passive Commands
- Did someone tell you to take off your coat? Did they welcome you to relax? These can all be indicators of an NLP hack.
- Trust Your Gut
- If a situation doesn’t feel right, leave the conversation. If you want to maintain the relationship, politely say you forgot about a meeting you must attend.
11. Classic Piggyback
This is an in-person social engineering attack that typically happens at large organizations. The hacker will scout the smoking or other outdoor social locations and then join the group, maybe even asking people what department they work in and striking up a casual conversation.
At this point, when the group goes in, the hacker follows the employees. As the hacker explores the buildings, if anyone asks who they are, they can always use one of the employee’s name, hoping that they don’t know the user. They’ll likely tour the office, looking for an open workstation, and pounce. If anyone asks, they’re IT and they’re updating Java or some other extremely common program.
12. The Cable Guy
The hacker will dress up as a phone or cable technician and report to the front desk. They’ll ask to be escorted to IT in order to work on the wiring or some other connection issue on the company’s end. In this scenario, the hacker might not even have to chat with someone in IT, as they may be shown to where they’re needed.
To carry out the ruse, the imposter might apologize for being late or take a fake phone or radio call from their boss, located in the home office or the van, with very specific directions on what he needs to look at. Once the hacker is alone, he can carry out his planned mischief.
13. Reverse Social Engineering
This is a pretty big ploy. Here, the hacker attacks a network and causes some damage, just enough to leave a trail. Then, feigning as a contractor/consultant, the hacker will claim that they found evidence of the breach in their target’s website or application and offer to work on it for a small fee or pro-bono in exchange for a testimonial or something.
With the deal being too good to pass up, the hacker’s fake company is hired. At this point, the hackers have considerably more access to the network and can do more harm. In the meantime, they can pass the buck and claim the “hackers” did it.
14. Rogue Employee
Obviously, for some of these situations, you need to be in the office. That leads to this hack, where the social engineer gets a low-level job at a company with just enough access to their marks. Another alternative involves bribery and solicitation to perform these actions.
Once they have a position in the office, either on their own or through a surrogate user, they can access open workstations or perform any number of activities as described in this article.
STOP THE HACKER: Check Your Logins
Tell your users that if someone uses their computer for any reason — authorized or unauthorized — to force logouts on other devices and consider changing your password.
According to Robert Siciliano, CSP at IDTheftSecurity.com, you should “keep an eye on your accounts and their activity. Account providers such as Gmail have dashboards that show where you’re logged in and what tools or apps are connected. This includes financial and social media accounts.
15. Open Access
Here, the social engineer works for the company and pretends to have computer or database problems. Maybe Excel is going slow, or they can’t get the SQL server to open. Regardless, they know their mark has some level of access they need. So they make friends with them, and after some time working together, they ask if they can try something on their machine to see if it’s any better.
To make this truly effective, they can bring a storage device and execute the device leave-behind as well to ensure they have continuous access.
Another alternative is due to employee laziness. When employees leave their computers unlocked, they give malicious employees in the office open access to their account. While an open computer often leads to an office prank, like switching mouse settings, this also lets the hacker access specific files, install malware or use their persona to get access to other individuals.
16. Six Degrees of Separation
Here the hacker identifies a “whale,” or a C-level executive or a director-level employee. Using social media and watching their in-person patterns, the hacker reaches out to the target’s friends or family with the full intention of earning the trust of the target eventually.
The victim will use their mutual contact to request an introduction to their target. At this point, the target is in a group setting, warmed up and comfortable, and the hacker can go after viable information.
While a group might seem like a bad idea because the hacker could get caught, it could also lower someone’s guard, especially if the hacker doesn’t directly ask for sensitive information. The hacker can focus on the initial victim — the mutual friend that their prime target has so much history with — and beat around the bush until they ask the question the hacker’s been wanting to ask themselves.
17. Bar Hopping
The hacker finds the target (using a method like the six degrees of separation) and introduces himself at the bar. Then the hacker gets the victim drunk while staying sober. At this point, they use NLP, mutual “friends” and history to strike up a conversation to get the information they desire.
Here’s how this conversation might go down:
- The hacker might say, “IT got all over my case today, they said my password wasn’t strong enough. I feel like I need to write it in a foreign language!”
- Then the victim, inebriated and trusting, will respond in-kind “Man, my password’s ‘ABC123,’ if I wasn’t the CEO they’d get all over my case!”
From there, the target has the insight they need, but they’ll likely keep the conversation going in case they end up needing more information and to ensure that the password portion of the conversation isn’t memorable for the victim.
Oh, and why isn’t the hacker drunk? Because they may have paid the bartender in advance with a handsome tip to leave alcohol out of all of his beverages.
18. Cause a Panic and Take Advantage
In this situation, the hacker reaches out to a user in some way, saying they’ve been compromised, and the hacker claims to represent a technical support individual or a help desk employee. How do they get ahold of the user? Through data available on the Dark Net. For instance, there are numerous cases of Dell records, including service number and service call dates and information, that hackers can use to not only reach out to a user but truly convince them they are technical support. [include a link here to back it up]
Now they talk to the user, saying the user needs to reset their password to meet complexity requirements, enable remote desktop access or even install a file through the command prompt. The social engineer walks them through this process.
After the task is complete, the hacker asks if they can help them with anything else and informs the user that there maybe a survey following this call (which one of their friends might actually perform for them). They do this to make it seem authentic and because people tend to remember the beginning and end of conversations, but not the middle. By exiting the conversation gracefully or even adding another voice through a survey, they make it seem more authentic.
STOP THE HACKER: Dealing With Phone Based Social Engineering Attacks
Here are 5 tips users can try when dealing with potential phone scams according to Rod Simmons at eSecurityPlanet:
- Get the caller’s name, phone number and extension. End the call and call them back using a number on the official company’s website.
- If you get the caller’s full name, look them up on LinkedIn. See if they have a profile and history with the company.
- Zero Trust. Treat every call as if it is a scam and ask tough, detailed questions. Provide false information to throw them off.
- Tell them you’re busy and to call you back later. Search online to see if there is any information on a scam like the one you feel could be happening. Search the name of the company and scam.
- Trust your gut. Hang up if you need to and call your company or IT department’s extension.
Here the hacker needs to be inside the building at a large, multi-site company. The hacker will wait for a director or C-level employee to leave the country and they’ll need access to their desk phone. Once this happens, the hacker will reach out to off-site IT, faking frustration that they cannot access specific files and they’ll demand access immediately since they’re about to leave the country.
If IT resists, they’ll insist to speak to the person’s manager, growing angrier as time passes. Their ultimate goal is to get their target to quickly give into their demands because they’re so angry.
There is another alternative as well. The hacker will call the IT representative, saying they were frustrated after having a face-to-face with another individual in IT. They’ll tell the victim that they are owed a favor by the CFO, or whoever the hacker was impersonating.
20. Whale Hunting
Here the hacker goes after a whale, also known as your executive team. The hacker calls, pretending to be from a good cause or a professional or alumni association and promises to provide a business partnership/networking environment that can help them move their business. The hackers make it very affordable and brand the web page well. Naturally, the C-level executive fills out his form with his corporate credit card information.
At this point, the hacker has what they need to make corporate expenditures on the account. Other prime what targets would include the C-level support team, both in regards to money transfers and data security, especially when the C-level executive is away.
21. Election Season
This social engineering practice is very similar to whale hunting, but it can happen to anyone. A person lies about being from the campaign and they call the victim for a corporate donation. This is typically following a local election. If they pick the wrong candidate, they’ll try again in a few days with their opponent’s name.
The person will either build a website or ask for the credit card information over the phone. To finish the hack, they’ll often make the user fill out a form that looks like an official tax document, where they can gather more information about the person they hacked to reach out directly to them in the future or use their information for further gain.
The typical target for this kind of social engineering tactic is a whale. The hacker will call with a pre-recorded message, pretending to be the victim’s company or the company’s bank. The hacker will ask the user to call a phone number, and in doing so, they will ask for their credit card info, phone number, pin, last four digits of their social security number and other sensitive details.
At this point, they’ll report some transactions that will obviously be fake, and they’ll cancel the transaction and promise the cardholder that they will send out a new card soon. However, the hacker hasn’t done any of these things and they’ll spend more money on the card.
23. Vendor Scams for Wire Transfers
The social engineering tactic here focuses on getting money. The hacker needs to have some knowledge of the organization to pull this off on a specific target, but it can also be sent in volume acting as a big name vendor.
The social engineer will claim to be a vendor the company uses. Again, they’ll perform a harvest scan and look at some tracking codes the company uses. This could be as simple as identifying an email marketing vendor, and web analytics tracking software or even a content management system.
They will then execute a classic phishing scam, but they’ll inform the victim that they’re from “collections” or “accounts receivable.” This typically happens through a phone call, but it can also come from an email as well. They’ll provide an invoice for services and request payment or wire transfer to an offshore (and therefore protected) bank account.
If they really want to go after someone who initially ignores the request, they’ll follow up and use a voice recording from a phone call where they get the victim to answer “yes.” They then use that to try to leverage payment for a product by saying that they have you answering “yes” to being overdue for an invoice. From there, they may threaten legal action. How do they get you to say yes? They ask you to confirm your identify on the first call, which targets often respond with by saying “Yes, this is [FIRST NAME].”
STOP THE HACKER: Identifying Wire Transfer Social Engineering Attacks
We spoke with Damian Caracciolo, VP and Practice Leader at CBIZ Management & Professional Risk, about how he’d stop wire transfer based social engineering attacks. He gave us 3 warning signs to watch out for:
1. A request for money or payment from an apparent vendor. Never send money to an unknown subject. Always ask for multiple forms of identity from the individual that you are working with before transferring money.
2. Normal wire request process being circumvented or altered. If a normal wire request has been circumvented, something isn’t right. It’s better to be safe than sorry. Ask the necessary questions to find out why the client is altering the wire request before approving.
3. Being pressed to make a decision or send money fast. Never feel rushed to make a wire transfer. Many scam artists will rush the process so that they can get paid quickly without any background check.
Concluding Thoughts on Social Engineering Attacks
Hopefully, this gets you thinking about ways you can be hacked, while also giving you white hat hacking methods to test your own users with. Make sure that you keep track of confirmed victims and try to lower that rate each year.
As you can see, there are also various types of goals to these social engineering based attacks. Many of these social engineering tactics want access to data, and these attacks would be difficult to detect. That’s why it’s so important to protect the foundation of your data, the files your organization stores and transfers. Advanced visual file analytics and in-depth audit reporting can help identify breaches early. To improve file governance, management and access control, use SmartFile and connect it directly to your network.