Cybersecurity

Common Social Engineering Attacks, Techniques, & How to Prevent Them

Social engineering attacks usually involve some form of psychological manipulation, and they’re tricky to prevent. Here are the most common forms hackers use.

Social Engineering Techniques

One way social engineering can occur is through email. You might receive an email that looks like it came from a credible company, but if you open the attachment or respond with your username and password, these devices are easily compromised.

What is social engineering attack?

Symantec Security Response’s technical director says that bad guys are not typically trying to exploit the vulnerabilities in Windows, but instead they target you through social engineering. This means it doesn’t matter if your computer is a PC or Mac because 97% of malware attacks try to trick users into opening malicious attachments.

Phishing

Phishing is one of the most common social engineering attacks, and it usually comes in two forms. Phishing or spear-phishing are both types of this attack based on current events disasters tax season.

Here are some of the worst examples of social engineering hacking:

Scammers are sending phishing emails claiming to come from a real law firm called ‘Baker & McKenzie’ and telling you that you’re scheduled for court. If the link is clicked, malware will be downloaded and installed on your computer.

Taxpayers are waiting to hear about their refunds before the April 15th deadline. Cybercriminals know this, and they’re using social engineering tactics to trick taxpayers into opening a Word file that contains ransomware.

A new phishing campaign was discovered through CareerBuilder. The attacker uploaded malicious attachments instead of résumés, forcing the job portal to act as a delivery vehicle for phishing emails.

The attacker used a known job site to target email recipients. The malware was deployed in stages.

The attack starts by submitting a malicious Word document (named resume.doc or cv.doc) to the job listing on Career Builder, and when someone submits an attachment to the posting, they will get notified of it.

A police department in Durham, New Hampshire was hit by ransomware last June when an employee clicked on a legitimate-looking email. Ransomware has also infected other departments, including Swansea and Tewksbury, MA; the Dickson County (Tennessee) Sheriff’s office; and more.

Here are some examples of social engineering scams:

One of the most common banking scams is a phishing email. Hackers send you an email that looks like it’s coming from your bank, but really they’re just trying to steal your info.

The Carbanak heist was reported on extensively in Feb 2015. It involved 30 countries and nearly a billion dollars worth of lost funds.

When the Carbanak scam happened, spear-phishing emails were sent to employees that infected workstations. The hackers tunneled deeper into bank systems until they controlled employee terminals and made cash transfers.

A scammer would send an email with a link that looked like it was coming from someone in the company. The links contained malicious code which infected all of your computers, and they recorded everything you did to learn how things were done at your organization. Then when they had mastered what goes on there, they commandeered them for their own purposes, including ATM hits, but also artificially inflating bank balances so customers’ balance went up by $1,000 or more before taking out some money.

This is a scam that will do damage to your computer. It’s common for companies who still use faxes, such as document management and insurance firms.

Dropbox Link Scam: Just wait until you see what’s in Dropbox.

One of the phishing emails was a fake Dropbox password reset that would lead users to an outdated browser message. When clicked, it launched malware.

Another email had a Dropbox link with CryptoWall ransomware.

A phony link, confirming your complaint is a scam. They want you to complain about something else, so they’ll have more information from you.

The company has used this for years.

This is a scam. Vin Diesel has not died and this will be the link to your death.

This is a common trend. When celebrities die, some people will try and exploit their death with fake videos or links that lead to scam pages.

The other day, my staff attempted to social engineer me and catch me in a prank.

They attempted to get my credentials by contacting me. I received an email from the Director of HR that looked like it was sent from them, but they were actually trying to trick me and steal information.

HR@knowbe4.com

10:45 AM (1 hour ago)

to: stus

Stu,

I saw a user on the company’s security forum, who goes by “securitybull72” make some negative comments about our executive compensation and you, claiming that you are overpaid and incompetent. He gave details of his disagreements with us from a financial standpoint which may have inadvertently revealed confidential information to other people.

Some of the replies to this post were negative, but I understand that he has every right to his opinion. He should have expressed it through proper channels before posting on social media.

The first time I saw this, it reminded me of something. Here’s the link.

Could you please talk to him?

Thanks.

Nine out of ten would fall for this. I was lucky that when I hovered over the link, it said that it had been created by me – a simulated phishing attack.

Prevention is the best way to avoid any issues with diversity in your workplace. The most important thing you can do is make sure that there are no barriers for anyone trying to get a job, and then monitor how well they’re being treated once they’ve been hired.

Train users with an effective training program that routinely uses an integrated anti-phishing tool to make sure they are thinking about security.

Have a backup plan in case something goes wrong and make sure to test it regularly.

Some of the more common ways to break into a computer system are…

PHISHING

Phishing has become a problem in the last few years and it’s hard to fight against. Attackers usually send well-crafted emails with attachments that carry malicious payloads. They often use Tor or something like that, making them difficult to find.

RANSOMWARE

Recently, there has been an increase in the use of phishing emails with ransomware. The attackers often send out attachments that look like they are important files, but actually contain a virus.

Here are a few steps you can take to protect yourself from these dirty schemes:

  • Know your rights and know what is expected of you.
  • Don’t give personal information like bank account numbers, driver’s license numbers,s or social security numbers.
  • If you do not know the sender, never open an email in a spam folder or from someone you don’t know.
  • When you receive an email from a sender who is unknown to you, do not open the attachments they have sent.
  • To protect your computer, use reputable antivirus software like Kaspersky or Symantec.
  • Back up your data on an external hard drive or in the cloud.
  • When backing up, make sure to disconnect your backup drive from the computer. Current ransomware is known to encrypt both your primary and secondary drives.
  • The reason they keep using this type of blackmailing attack is that people are giving in. To try to get your data back, go see a professional.

How to prevent social engineering

  • Humans are the weakest link in a company. Companies should have at least bi-annual training for each user group so that everyone is up to date on new cyber attacks.
  • Employees should be tested by having an outside party conduct a social engineering test. This kind of testing will make them more aware and help to protect their data.
  • In response to the increase in these attacks, a number of security firms have new defenses that can block phishing attempts before they even reach your company’s internal servers. AppRiver is one such service.
  • If they get through, the best way to stop them is probably an endpoint protection system that can block the latest malware.
  • Cyphort’s IDSIPS system is a good last line of defense against known attacks and to detect how far they have invaded the network by signature, behavior, or community knowledge.

Organizations should know that when it comes to social engineering attacks, they need to be aware that email is the number one way to attack a company or individual. It’s used by everyone, even older employees who are less likely to be on social media and more prone to opening an email.

If an email is opened, the message has to be compelling enough for them to click on a link or open up any attachments. There are many strategies that have been successful including:

  • Fake email addresses are often used when sending out these types of emails. They may look very professional or seem to be from a company that the reader would trust.
  • A lot of companies are experiencing fake invoices, blocked payments, deliveries, or faxes.
  • Emails are designed to scare the recipient into clicking on a link in order for them to receive more information about whatever it is they’re trying to get you interested in.

Most companies put all of their defense efforts into software and hardware solutions to keep these threats from ever reaching employees. But this approach is flawed because most people connect the internet through email, Facebook, LinkedIn, Twitter or web pages at home or on mobile devices. Few companies also include employee education about identifying threats such as mouse-over skills and understanding the anatomy of an email address or domain name.

To prevent social engineering attacks, it is important to identify them.

When it comes to data theft, the most common source is from within. In 2013, $143 billion was lost as a result of this.

Social engineering is hard to prevent, but there are ways of detecting it. For instance, if you have a number of sensitive files and someone downloads them after hours or shares the file with others outside their group, that should be identified as suspicious behavior.

Today, there are many ways an attacker will try and compromise a corporate network, but in the end, it is the individual who has the most to lose. Attackers take whatever means necessary to break into networks and steal information; one of which is social engineering. Social engineering was responsible for some major attacks, including Sony’s 2014 hack as well as The White House last year. There are two common types of these attacks: phishing (using email) or vishing (voice-phishing).

One of the most common ways to get hacked is through a phishing attack. An individual will open an email that seems harmless but actually has malicious code in it, or they’ll download something from somewhere with malware on it.

Vishing is when someone pretends to be a company and calls you over the phone. With some information about your name or birthday, they may get all of your login credentials.

To protect a company, it’s important to teach employees what they should be looking for when receiving phone calls or emails. When an individual receives a call asking for information, he or she must establish the identity of the person without giving any hints about their personal details.

It’s important to know the basics in order to protect your digital identity from social engineering attacks.

  • Be careful when you get an email that: urges the user to provide personal or financial information with high urgency. Threatens the user if they don’t respond quickly.
  • The scammer will ask for personal or financial information in a high-pressure way, so be wary of anyone who seems too pushy.
  • Pop-ups are designed to scare the user into making an immediate purchase.
  • Is sent by unknown senders.
  • Keep a close eye on your bank account to make sure no unauthorized transactions have been made.
  • When you’re using public computers, don’t share personal information like passwords and credit card numbers.
  • Never click on links or download files from unknown senders.
  • If you’re going to make online transactions, be sure that the site is secure. You’ll know this if there’s a padlock next to it.
  • Never give out personal information over the phone, and never respond to emails asking for your account number or other important data.
  • Never send sensitive information such as personal and financial data through email.
  • When you get an email from a website that seems legitimate, watch out for links to web forms. Phishing websites are often exact replicas of legitimate ones.
  • Pop-ups can be dangerous and it’s important to never enter personal information or click on them.
  • It’s important to have the right defense systems in place, such as spam filters and anti-virus software.
  • Users of social networks should never post personal information or download uncertified applications. They also shouldn’t click on links and videos from unknown origins.

Protect Your Organization from Cybersecurity Threats

SecurityStudio help information security leaders at organizations ensure they’re protected against cybersecurity threats, stay insurable, and legally defensible with our risk assessment and risk management software. Schedule a demo to learn how we can help.

cybersecurity
Sign up for our newsletter

Receive monthly news and insights in your inbox. Don't miss out!

education
Industry insights
NEWS & EVENTS