Social engineering is the most straightforward use of mental tricks to coerce others into performing actions for another person. Hackers, cybercriminals, and organized cybercrime rings use social engineering to leverage sensitive information, steal credit card numbers, and trick users into allowing attackers to access their systems. Social engineering attacks have gotten so good that they can fool the most tech-savvy users.
Social engineering attacks can take many forms today. They are emails from a supposed friend or coworker, a text message from your carrier, an exchange on social media, or a phone call from a customer support representative. These attacks focus on the trust that many people share. Depending on what variation a user or employee receives, the goal of the person performing the attack may be to launch malware onto a system, steal an employee’s username or password for their business login page, or even trick a person into giving their credit card information.
According to an article published by the FBI, the IC3 reported that 23,775 complaints of business email compromise (BEC) resulted in more than $1.7 billion in losses. Business email compromise attacks can affect businesses for sensitive information such as employee social security numbers, banking statements, customer contacts, and business information that these accounts have stored.
What are the different types of social engineering attacks?
While social engineering describes email phishing scams, alternative attacks are used with social engineering. These attacks range from playing on others’ curiosity to playing on commonly practiced courtesies. The most common types of social engineering attacks are the following:
1. Phishing: Phishing is a common social engineering attack where a cybercriminal creates a realistic email to scam a potential victim. In many cases, these emails contain a malicious macro document or links to a website that will request the user to sign in to a victim’s web service. If the victim opens the document, the malicious macro will execute embedded scripts, allowing for remote access from hackers or forcing the compromised device to download and run ransomware.
Other forms of phishing use phone calls (vishing) to gather information or lure unsuspecting victims with urgent voicemails and text messages that mimic those sent by banks or cellular service providers. Here is another article covering the subject to learn more about phishing and different phishing techniques.
2. Pretexting: Pretexting social engineering attacks take an unusual approach, as the attacker will try to build a sense of trust with the victim. Over time, this false confidence allows the criminal to steal sensitive or personal information slowly. In addition, pretexting will learn what services businesses may use and then contact that service to take advantage of the relationship.
For example, after an attacker knows what security is used to protect a facility, the attacker can use this knowledge to contact the security company and tell them that the victim business expects a service worker. Due to the information the attacker provides, the security personnel will think this is a legitimate call and let the attacker into the business without additional confirmation.
3. Baiting: Social engineering attacks that use baiting rely on a sense of curiosity. With baiting attacks, attackers place script-laden USB devices around or inside a facility. In many cases, once an employee finds the USB device, they will plug it into their computer, hoping to find out who owns it.
The device configured with a hidden program will execute once the device connects with a system. The “My Bonus” file opens, but it is too late. Attackers give data files an enticing name to make the unsuspecting victim more likely to open them.
4. Quid pro quo: As the name implies, quid pro quo attacks focus on promised service in return for potentially sensitive information. Many attackers that use quid pro quo will call unsuspecting victims and offer a service or remove malware from their computers but require them to give them their credit card information over the phone.
Another common variation of the quid pro quo attack is having the attacker impersonate a U.S. Social Security Administration employee and will inform the victim that they need their social security number for a specified reason. According to the 2019 Consumer Sentinel Network report from the Federal Trade Commission, there were 650,572 reported identity theft cases. With this information, it is easy to say that these numbers could be higher as some individuals do not learn they are victims of identity theft until months or even years later.
5. Tailgating: Tailgating, more popularly referred to as piggy-backing, is a tactic used to gain access to a building or area of a facility considered well-protected. In this case, an attacker may stake out the facility and learn of other entry points where employees enter or exit a building. If the attacker has already gained access to the building, they may wait for another employee to enter a restricted part of the facility.
This method allows the attacker to walk through the door behind the employee. Tailgating occurs when an employee is willing to hold open a door for an attacker, often because of a request or as a common curiosity, without realizing what they have done.
Why do people keep falling for social engineering, and how to prevent it?
Social engineering techniques have moved from yesteryear’s iconic “Nigerian prince” emails to more sophisticated methods that leave many victims unaware that criminals tricked them. Even the most security-conscious individuals may have difficulty differentiating a fake website from a legitimate one.
The best way to help prevent employees from falling for social engineering attacks is to identify common signs of phishing emails and security practices for the work environment. In addition to performing quarterly or monthly training, here is a list of additional methods manufacturers and suppliers can use to prevent social engineering attacks.
1. Confirm before acting: One tactic used in social engineering and phishing attacks is to impose a sense of urgency or authority on the potential victim. Social networks allow criminals to create targeted attacks. Emails associated with transferring funds from bank accounts are viral. Divulging confidential information is another form of widespread manipulation. The best preventative action for these attacks is to train everyone to confirm the email address and that the request is a trusted source before acting or replying to the email or phone call.
2. Require authentication for entering the work premises: One tactic commonly used for accessing a business or secured environment is called “piggy-backing.” The attacker will ask an employee to keep a door open for them to enter the building. Manufacturers can develop a policy that employees only use designated entrances and exits to leave or enter the building to deter and prevent these attacks. Additionally, a formal plan should outline that anyone with no form of identification should report to a designated security desk.
3. Do not download files you do not know: If you do not know either what the sent file contains or the file has a .exe extension, do not download it. These files often contain malicious scripts that hackers and cybercriminals can connect to your computer remotely. Embedded scripts force the system to download ransomware and other malware infections.
4. Conduct regular security awareness training: Beyond the training program during employee onboarding, having proper security training with employees and leadership members is vital. This training should include methods to identify phishing emails, and cover and review the company policies and guidelines for responding to potential security breaches and social engineering attacks.
5. Ensure that your advanced anti-virus software is up to date and active: If any employee opens a malicious document or program, having effective endpoint protection anti-virus/malware software can help prevent a potential security breach. In addition to having a capable anti-virus/malware, updating your email tool’s spam settings can also help minimize the risk of accidentally opening emails containing these items.
6. Implement two-factor authentication: Using two-factor authentication for the services essential to day-to-day operations. Two-factor authentication prevents criminals from using stolen credentials to access confidential information without a one-time passcode. Most modern applications support 2-factor as an option in the application settings.
My business does regular training, but how can I measure user training effectiveness?
When measuring the effectiveness of security awareness training, businesses can request a third party to conduct two types of assessments. The first type of evaluation is a physical security assessment. A physical security assessment aims for the assessors to gain access to sensitive areas within a facility. The assessors will use social engineering tactics during these assessments, such as impersonating an employee or a service technician.
In addition to these tactics, the assessors will also try piggybacking and badge cloning to determine the effectiveness of the security training given to employees and leadership personnel. Another assessment that manufacturers and businesses in the supply chain can request is a phishing campaign to be performed. During these campaigns, the assessors will use information about the business’s services to craft email messages and web pages near perfect copies of the login forms used for those services.
Given the annual financial losses due to the volume of email and compromise attacks, knowing how practical and useful your security training is key to modifying human behavior and improving training effectiveness.
As manufacturing companies invest in smart manufacturing, data analytics, web applications, and work from home models, businesses increase their loss exposure. Leadership teams need to be empowered with greater certainty that their company and its employees are safe from cybercrime organizations that seek to harm.
The lack of strategy to focus on essential asset protection priorities creates much confusion for leadership teams, so the misallocation of time and money continues. The lack of oversight means limited accountability and diminished results for the time and money invested.
As a proud supporter of American companies, Certitude Security® is working diligently to inform leaders and facilitate essential asset protection priorities for manufacturers and supply chains throughout the United States.
Problem discussions can be a defining moment in your career. If you are interested in value creation, learn about SPOT-Beam™ by Certitude Security®. We look forward to helping you and your business succeed!