Social engineering is the most straightforward use of mental tricks to coerce others into performing actions for another person. Hackers, cyber criminals, and organized cybercrime rings use social engineering in multiple ways to leverage sensitive information, steal credit card numbers, and trick users into allowing the attackers to access their systems. Social engineering attacks have gotten so good that they can even fool the most tech-savvy of users today.
Social engineering attacks can take many forms today. They are emails from a supposed friend or coworker, a text message from your carrier, exchange on social media, or a phone call from a customer support representative, these attacks focus on the trusts that many people share. Depending on what variation a user or employee receives, the goal of the person performing the attack may be to launch malware onto a system, steal an employee’s username or password for their business login page, or even trick a person into giving their credit card information.
According to an article published by the FBI, the IC3 reported that 23,775 complaints of business email compromise (BEC) resulted in more than $1.7 billion in losses. Business email compromise attacks can affect businesses for the amount of sensitive information such as employee social security numbers, banking statements, customer contacts, and business information that these accounts have stored.
What are the different types of social engineering attacks?
While the term social engineering describes email phishing scams, there are alternative attacks used with social engineering. These attacks range from playing on the curiosity of others to playing on commonly practiced courtesies. The most common types of social engineering attacks are the following:
1. Phishing: Phishing is a common form of social engineering attacks, where a cyber criminal will create a realistic email to scam a potential victim. In many cases, these emails with either contain a document that contains a malicious macro, or links to a website that will request the user to sign-in to a web service that victims use. If the victim opens the document, the malicious macro will execute embedded scripts, which can allow for remote access from hackers, or force the compromised device to download and run ransomware. Other forms of phishing use phone calls (vishing) to gather information or lure unsuspecting victims with urgent voicemails and text messages that mimic those sent by banks or cellular service providers. To learn more about phishing and different phishing techniques, here is another article that covers more on the subject.
2. Pretexting: Pretexting social engineering attacks take an unusual approach, as the attacker will try to build a sense of trust with the victim. Over time, this false sense of confidence allows the criminal to steal sensitive or personal information slowly. In addition to this, pretexting will learn what services businesses may use, and then contact that service to take advantage of the relationship. For example, after an attacker knows what security is used company is to protect a facility, the attacker can use this knowledge to contact the security company and tell them that the victim business is expecting a service worker. Due to the amount of information that the attacker provides, the security personnel will think that this is a legitimate call and will let the attacker into the business without additional confirmation.
3. Baiting: Social engineering attacks that use baiting rely on a sense of curiosity. With baiting attacks, attackers will place script laden USB devices around or inside a facility. With many cases, once an employee finds the USB device, they will plug the device into their computer, hoping to find out who owns the device. The device configured with a hidden program will execute once the device connects with a system. The “My Bonus” file opens, but it is too late. Attackers give data files an enticing name to make the unsuspecting victim more likely to open it.
4. Quid pro quo: As the name implies, quid pro quo attacks take the focus of promising service in return for potentially sensitive information. Many attackers that use quid pro quo will call unsuspecting victims and offer a service or removing malware from their computers but require them to give them their credit card information over the phone. Another common variation of the quid pro quo attack is having the attacker impersonate a U.S. Social Security Administration employee, and will inform the victim that they need their social security number for a specified reason. According to the 2019 Consumer Sentinel Network report from the Federal Trade Commission, there were a total of 650,572 reported cases of identity theft. With this information, it is easy to say that these numbers could be higher as some individuals do not learn that they are victims of identity theft until months or even years later.
5. Tailgating: Tailgating, or more popularly referred to as piggy-backing, is a tactic used to gain access to a building or area of a facility considered well protected. In this case, an attacker may stake out the facility, and learn of other entry points where employees enter or exit a building. If the attacker has already gained access to the building, they may wait for another employee to enter a restricted part of the facility. This method allows the attacker to walk through the door behind the employee. Tailgating occurs where an employee willing to hold open a door for an attacker, often because of a request or as a common curiosity without realizing what they have done.
Why do people keep falling for social engineering, and how to prevent it?
Social engineering techniques have moved from the iconic “Nigerian prince” emails of yesteryear to more sophisticated methods that leave many victims unaware that they were tricked. Even the most security-conscious individuals may have difficulty differentiating a fake website from a legitimate one. The best way to help prevent employees from falling for social engineering attacks is with training based on identifying common signs of phishing email and security practices for the work environment. In addition to performing quarterly or monthly training, here is a list of additional methods that manufacturers and their suppliers can use to prevent social engineering attacks.
1. Confirm before acting: One tactic used in social engineering and phishing attacks is to impose a sense of urgency or authority on the potential victim. Social networks allow criminals to create targeted attacks. Emails associated with transferring funds from bank accounts are very popular. Divulging confidential information is another form of widespread manipulation. The best preventative action for these kinds of attacks is to train everyone to confirm the email address and that the request is a trusted source before acting or replying to the email or phone call.
2. Require authentication for entering the work premises: One tactic commonly used for accessing a business or secured environment is called “piggy-backing”, where the attacker will ask an employee to keep a door open for them as the employee enters the building. To deter and prevent these types of attacks, manufacturers can develop a policy that employees should only use designated entrances and exits to leave or enter the building. Additionally, a formal plan should outline that anyone who does not have any form of identification should have to report to a designated security desk.
3. Do not download any files that you do not know: If you do not know either what the sent file contains or if the file has a .exe extension, do not download the file. In many cases, these files often contain malicious scripts that hackers and cyber criminals can use to connect to your computer remotely. Embedded scripts force the system to download ransomware and other forms of malware infections.
4. Conduct regular security awareness training: Beyond the training program that may happen during employee onboarding, having proper security training with both the employees and leadership members is vital. This training should include methods to identify phishing emails, cover and review the company policies and guidelines for responding to potential security breaches and social engineering attacks.
5. Ensure that your advanced anti-virus software is up to date and active: In the case that any employee opens a malicious document or program, having effective endpoint protection anti-virus/malware software can help prevent a potential security breach. In addition to having a capable anti-virus/malware, updating the spam settings of your email tool can also help to minimize the risk of accidentally opening emails containing these items.
6. Implement two-factor authentication: Using two-factor authentication for the services that are essential to the day to day operations. Two-factor authentication prevents criminals from using stolen credentials to access confidential information without a one-time passcode. Most modern applications support the use of 2-factor as an option in the application settings.
My business does regular training, but how can I measure the effectiveness of user training?
When measuring the effectiveness of security awareness training, businesses can request a third party to conduct two types of assessments. The first type of evaluation is a physical security assessment. The goal of a physical security assessment is for the assessors to gain access to sensitive areas within a facility. During these assessments, the assessors will use social engineering tactics, such as impersonating an employee or a service technician.
In addition to these tactics, the assessors will also try piggy-backing and badge cloning to determine the effectiveness of the security training given to employees and leadership personnel. Another assessment that manufacturers and businesses in the supply chain can request is a phishing campaign to be performed. During these campaigns, the assessors will use information gathered about the services used by the business to craft email messages and web pages that are near perfect copies of the login forms used for those services.
Given the financial losses due to the volume of email compromise attacks annually, knowing how practical and useful your security training is key to modifying human behavior and critical to improving training effectiveness.
As manufacturing companies invest in smart manufacturing, data analytics, web applications, and work from home models, businesses increase their exposure to loss. Leadership teams need empowering with greater certainty that their company and its employees are safe from cybercrime organizations that seek to harm.
The lack of strategy to focus on essential asset protection priorities creates much confusion for leadership teams, so time and money are misallocated. The lack of oversight means limited accountability and diminished results for the time and money invested.
As a proud supporter of American manufacturing, Certitude Security® is working diligently to inform leaders and facilitate essential asset protection priorities for manufacturing businesses throughout the United States. If you are interested in learning about the empowerment services that Certitude Security® can offer, visit our website or coordinate a time to speak to a team member today