social engineering attacks

Social engineering is becoming more common and sophisticated. With hackers devising clever ways to fool company employees, companies need to use due diligence in order to stay two steps ahead of cybercriminals.

Social engineering attacks usually involve some form of psychological manipulation, and they’re tricky to prevent, and these are the most common form of social engineering used by hackers

We wanted to educate companies, employees, and end-users on how to better recognize social engineering efforts. We asked a panel of data security experts about the most common attacks being used today.

“What are the common social engineering attacks made on companies, and how can they be prevented?”

Here are a couple of the top insights from our experts:

  1. “We’re launching an initiative to make sure all job postings for entry-level positions have been reviewed by HR and that they meet EEOC compliance.”
  2. “Our company is working on making diversity training mandatory for managers, as well as providing unconscious bias training during onboarding.”

Protect Your Organization from Cybersecurity Threats

SecurityStudio help information security leaders at organizations ensure they’re protected against cybersecurity threats, stay insurable, and legally defensible with our risk assessment and risk management software. Schedule a demo to learn how we can help.


Social Engineering Techniques 

One way social engineering can occur is through email. You might receive an email that looks like it came from a credible company, but if you open the attachment or respond with your username and password, these devices are easily compromised.

What is social engineering attack?

Symantec Security Response’s technical director says that bad guys are not typically trying to exploit the vulnerabilities in Windows, but instead they target you through social engineering. This means it doesn’t matter if your computer is a PC or Mac because 97% of malware attacks try to trick users into opening malicious attachments.

Phishing

Phishing is one of the most common social engineering attacks, and it usually comes in two forms. Phishing or spear-phishing are both types of this attack based on current events disasters tax season.

Here are some of the worst examples of social engineering hacking:

Scammers are sending phishing emails claiming to come from a real law firm called ‘Baker & McKenzie’ and telling you that you’re scheduled for court. If the link is clicked, malware will be downloaded and installed on your computer.

Taxpayers are waiting to hear about their refunds before the April 15th deadline. Cybercriminals know this, and they’re using social engineering tactics to trick taxpayers into opening a Word file that contains ransomware.

A new phishing campaign was discovered through CareerBuilder. The attacker uploaded malicious attachments instead of résumés, forcing the job portal to act as a delivery vehicle for phishing emails.

The attacker used a known job site to target email recipients. The malware was deployed in stages.

The attack starts by submitting a malicious Word document (named resume.doc or cv.doc) to the job listing on Career Builder, and when someone submits an attachment to the posting, they will get notified of it.

A police department in Durham, New Hampshire was hit by ransomware last June when an employee clicked on a legitimate-looking email. Ransomware has also infected other departments, including Swansea and Tewksbury, MA; the Dickson County (Tennessee) Sheriff’s office; and more.

Here are some examples of social engineering scams:

One of the most common banking scams is a phishing email. Hackers send you an email that looks like it’s coming from your bank, but really they’re just trying to steal your info.

The Carbanak heist was reported on extensively in Feb 2015. It involved 30 countries and nearly a billion dollars worth of lost funds.

When the Carbanak scam happened, spear-phishing emails were sent to employees that infected workstations. The hackers tunneled deeper into bank systems until they controlled employee terminals and made cash transfers.

A scammer would send an email with a link that looked like it was coming from someone in the company. The links contained malicious code which infected all of your computers, and they recorded everything you did to learn how things were done at your organization. Then when they had mastered what goes on there, they commandeered them for their own purposes, including ATM hits, but also artificially inflating bank balances so customers’ balance went up by $1,000 or more before taking out some money.

This is a scam that will do damage to your computer. It’s common for companies who still use faxes, such as document management and insurance firms.

Dropbox Link Scam: Just wait until you see what’s in Dropbox.

One of the phishing emails was a fake Dropbox password reset that would lead users to an outdated browser message. When clicked, it launched malware.

Another email had a Dropbox link with CryptoWall ransomware.

A phony link, confirming your complaint is a scam. They want you to complain about something else, so they’ll have more information from you.

The company has used this for years. 

This is a scam. Vin Diesel has not died and this will be the link to your death.

This is a common trend. When celebrities die, some people will try and exploit their death with fake videos or links that lead to scam pages.

The other day, my staff attempted to social engineer me and catch me in a prank.

They attempted to get my credentials by contacting me. I received an email from the Director of HR that looked like it was sent from them, but they were actually trying to trick me and steal information.


HR@knowbe4.com

10:45 AM (1 hour ago)

to: stus

Stu,

I saw a user on the company’s security forum, who goes by “securitybull72” make some negative comments about our executive compensation and you, claiming that you are overpaid and incompetent. He gave details of his disagreements with us from a financial standpoint which may have inadvertently revealed confidential information to other people.

Some of the replies to this post were negative, but I understand that he has every right to his opinion. He should have expressed it through proper channels before posting on social media.

The first time I saw this, it reminded me of something. Here’s the link.

Could you please talk to him?

Thanks.


Nine out of ten would fall for this. I was lucky that when I hovered over the link, it said that it had been created by me – a simulated phishing attack.

Prevention is the best way to avoid any issues with diversity in your workplace. The most important thing you can do is make sure that there are no barriers for anyone trying to get a job, and then monitor how well they’re being treated once they’ve been hired.

Train users with an effective training program that routinely uses an integrated anti-phishing tool to make sure they are thinking about security.

Have a backup plan in case something goes wrong and make sure to test it regularly.

Some of the more common ways to break into a computer system are…

PHISHING

Phishing has become a problem in the last few years and it’s hard to fight against. Attackers usually send well-crafted emails with attachments that carry malicious payloads. They often use Tor or something like that, making them difficult to find.

RANSOMWARE

Recently, there has been an increase in the use of phishing emails with ransomware. The attackers often send out attachments that look like they are important files, but actually contain a virus.

Here are a few steps you can take to protect yourself from these dirty schemes:

  • Know your rights and know what is expected of you.
  • Don’t give personal information like bank account numbers, driver’s license numbers,s or social security numbers.
  • If you do not know the sender, never open an email in a spam folder or from someone you don’t know.
  • When you receive an email from a sender who is unknown to you, do not open the attachments they have sent.
  • To protect your computer, use reputable antivirus software like Kaspersky or Symantec.
  • Back up your data on an external hard drive or in the cloud.
  • When backing up, make sure to disconnect your backup drive from the computer. Current ransomware is known to encrypt both your primary and secondary drives.
  • The reason they keep using this type of blackmailing attack is that people are giving in. To try to get your data back, go see a professional.

How to prevent social engineering

  • Humans are the weakest link in a company. Companies should have at least bi-annual training for each user group so that everyone is up to date on new cyber attacks.
  • Employees should be tested by having an outside party conduct a social engineering test. This kind of testing will make them more aware and help to protect their data.
  • In response to the increase in these attacks, a number of security firms have new defenses that can block phishing attempts before they even reach your company’s internal servers. AppRiver is one such service.
  • If they get through, the best way to stop them is probably an endpoint protection system that can block the latest malware.
  • Cyphort’s IDSIPS system is a good last line of defense against known attacks and to detect how far they have invaded the network by signature, behavior, or community knowledge.

Organizations should know that when it comes to social engineering attacks, they need to be aware that email is the number one way to attack a company or individual. It’s used by everyone, even older employees who are less likely to be on social media and more prone to opening an email.

If an email is opened, the message has to be compelling enough for them to click on a link or open up any attachments. There are many strategies that have been successful including:

  • Fake email addresses are often used when sending out these types of emails. They may look very professional or seem to be from a company that the reader would trust.
  • A lot of companies are experiencing fake invoices, blocked payments, deliveries, or faxes.
  • Emails are designed to scare the recipient into clicking on a link in order for them to receive more information about whatever it is they’re trying to get you interested in.

Most companies put all of their defense efforts into software and hardware solutions to keep these threats from ever reaching employees. But this approach is flawed because most people connect the internet through email, Facebook, LinkedIn, Twitter or web pages at home or on mobile devices. Few companies also include employee education about identifying threats such as mouse-over skills and understanding the anatomy of an email address or domain name.

To prevent social engineering attacks, it is important to identify them.

When it comes to data theft, the most common source is from within. In 2013, $143 billion was lost as a result of this.

Social engineering is hard to prevent, but there are ways of detecting it. For instance, if you have a number of sensitive files and someone downloads them after hours or shares the file with others outside their group, that should be identified as suspicious behavior.

Article: A new study conducted by the United States Department of Labor found that workers who receive paid sick leave were less likely to go to work while they’re ill.

Today, there are many ways an attacker will try and compromise a corporate network, but in the end, it is the individual who has the most to lose. Attackers take whatever means necessary to break into networks and steal information; one of which is social engineering. Social engineering was responsible for some major attacks, including Sony’s 2014 hack as well as The White House last year. There are two common types of these attacks: phishing (using email) or vishing (voice-phishing).

One of the most common ways to get hacked is through a phishing attack. An individual will open an email that seems harmless but actually has malicious code in it, or they’ll download something from somewhere with malware on it.

Vishing is when someone pretends to be a company and calls you over the phone. With some information about your name or birthday, they may get all of your login credentials.

To protect a company, it’s important to teach employees what they should be looking for when receiving phone calls or emails. When an individual receives a call asking for information, he or she must establish the identity of the person without giving any hints about their personal details.

It’s important to know the basics in order to protect your digital identity from social engineering attacks.

  • Be careful when you get an email that: urges the user to provide personal or financial information with high urgency. Threatens the user if they don’t respond quickly.
  • The scammer will ask for personal or financial information in a high-pressure way, so be wary of anyone who seems too pushy.
  • Pop-ups are designed to scare the user into making an immediate purchase.
  • Is sent by unknown senders.
  • Keep a close eye on your bank account to make sure no unauthorized transactions have been made.
  • When you’re using public computers, don’t share personal information like passwords and credit card numbers.
  • Never click on links or download files from unknown senders.
  • If you’re going to make online transactions, be sure that the site is secure. You’ll know this if there’s a padlock next to it.
  • Never give out personal information over the phone, and never respond to emails asking for your account number or other important data.
  • Never send sensitive information such as personal and financial data through email.
  • When you get an email from a website that seems legitimate, watch out for links to web forms. Phishing websites are often exact replicas of legitimate ones.
  • Pop-ups can be dangerous and it’s important to never enter personal information or click on them.
  • It’s important to have the right defense systems in place, such as spam filters and anti-virus software.
  • Users of social networks should never post personal information or download uncertified applications. They also shouldn’t click on links and videos from unknown origins.

Keith Casey

social engineering attacks

@CaseySoftware

Keith Casey currently works as the director of product for Clarify.io, a company that helps make APIs easier and more consistent.

The most common form of social engineering attack is when hackers impersonate someone in the company, like a CEO or other high-level executive.

“I just need.” Basically, someone calls the company claiming to represent the phone company, internet provider, etc., and starts asking questions. They claim to have a simple problem or know about a problem that can be fixed quickly, but they just need one little thing. It could be as innocuous as asking for a username or someone’s schedule or as blatant as asking for a password. Once the attacker has this information, they call someone else in the company and use the new information to refine their attack. Lather, rinse, repeat.

Many people are tricked into giving away company information by pretending to be an employee. They get access to email accounts, phone records, and travel itineraries.

The best way to protect yourself when someone calls is not to give them your information. Instead, ask for their phone number and offer to call them back at that number.

You should never give your credit card number to someone who calls you. Call the company’s customer service line and they will help.

Joe Ferrara

social engineering attacks

@WombatSecurity

Joe Ferrara is the CEO of Wombat Security Technologies, and he’s been working in technology for 20 years. Recently Joe was a finalist for EY Entrepreneur Of The Year Western Pennsylvania and West Virginia, as well as receiving a CEO award from CEO World. He has spoken at numerous information security conferences around the world, including RSA Europe, CISO Executive Network forum, ISSA International., etc.

Here are some tips on how to protect against social engineering attacks.

Social engineering is a phenomenon that exploits human psychology to gain access to buildings, systems, and data. It’s so advanced now that technology solutions and policies alone cannot protect critical resources.

Companies should:

  • Make sure to take a baseline assessment of your employees’
  • Let employees know why they need to be discreet when it comes to company information.
  • A good way to start is by targeting the most risky employees andor common behaviors.
  • Give employees the power to make decisions about security instead of relying on a central authority.
  • Interactive training can be used to help increase knowledge retention. With short sessions that are convenient for employees’ busy schedules, these training will provide proven effective learning science principles.
  • Send automated reminders to employees about training deadlines.
  • With these reports, executives can easily see when knowledge is improving over time.

Companies need to focus on the human side of security more than just investing in technology defenses. Companies should be training their employees about current threats and how to avoid them.

Companies should use social engineering attacks to test their employees, and then train them on how to combat these types of scenarios. Having a security program in place can help protect your company from data breaches.

Sanjay Ramnath

social engineering attacks

@Barracuda

Sanjay Ramnath is the Senior Director of Product Management for Barracuda, a company that provides powerful and easy-to-use IT solutions.

When it comes to social engineering, I recommend…

The following is a list of paraphrases for the given article:
-I had no idea what was going on in my company.
-We were always looking at ways that we could motivate our employees more and different things would work better than others but they never lasted too long. We wanted something stable and reliable so people didn’t feel like their jobs were constantly being threatened with change.
-In hindsight, if I knew then what I know now about how much an employee’s livelihood affects his or her performance, there are some changes that might have helped me hire better salespeople from the beginning instead of just assuming pay plus commission bonuses would be enough motivation.With my first salespeople, all those tests made them less motivated because they felt as though every time we changed something new he only one who suffered financially which affected their productivity considerably.More recently when hiring someone into a management position where responsibilities include managing

Companies need to find a way to use social media for their business. They can’t just block these sites from the network.

Training is important, but it’s not enough. There are many ways to mitigate the risks of social media while allowing them to be used; for example, creating a code of conduct that everyone agrees on and having someone monitor what employees post online.

With Bring Your Own Device, network administrators are under a lot of pressure to protect the company’s network of devices that were not created with it in mind.

Social media is a zero-trust environment. You don’t know who you’re talking to, and often people’s guards are lowered when they use it.

In a case like social engineering, where people are subject to spear-phishing attacks and other scams before they even reach the network, it is good to have spam firewall and web filter in place as well as training for employees on how not fall prey.

byod is a growing problem, so it’s important for companies to have security solutions in place.

Alex Markowitz

social engineering attacks

@ChelseaTech

Alex Markowitz is a Systems Engineer for Chelsea Technologies, and he has 10 years of IT experience in the financial sector.

To prevent social engineering attacks, I suggest that companies…

The Power of No.

Google the top social engineering attacks. What do you get? Stories about Trojan Horses, phishing attacks, malware injections, redirects, spam, and people giving up way too much personal information on public websites. The surface area for social engineering attacks is as big as all the employees and users in your corporation. The best social engineering attack will involve nothing but an unnoticed slip or mistake from one user. I am going address the very specific aspect of internal security and leave you with the following: the most important protection you need in your company is the ability to say, “No.”

It is important to know the history of attacks, but that will not protect you. The attackers are always ahead of those who defend against them. A social engineer has an endless well of creativity and should be treated as such–technology changes, but humans do not.

I have noticed that there are always executives, managers, and other powerful people who want to be treated special. They refuse to follow the rules because they think it doesn’t apply to them or their family members.

They want things that will make their professional lives, even easier than we, in IT, struggle to make it. Unfortunately, in IT, we are in the habit of saying, “Yes.” I have seen directors and CTOs create special exceptions for other high-ranking users to garner favors and popularity, but also because they are scared for their own position. This is lazy; this is arrogant; this is stupid, but this is most of all, human. We human beings are the system attacked by social engineering, and then we leave ourselves open by falling prey to our insecurities, giving an attacker an invitation to storm our gates. All IT needs to learn how to say is “No,” and IT management needs to be strong and stubborn for the good of a company. One of the best ways to protect your company from social engineers is to learn how to say, “No.” Keep politics and climbing the office ladder out of IT security.

I know I am addressing a very specific aspect of IT, but one of the best ways to shrink your attack surface is to learn how to say, “No.” It takes strong leadership and determination from IT management to keep our protection streamlined. Only after our protection, is streamlined can we accurately educate our users and create a secure infrastructure. Every individual exception opens a Pandora’s Box for social engineers to find (or even just stumble upon) and exploit.

Robert Harrow

social engineering attacks

@robert_harrow

Robert Harrow is a credit card, home insurance, and health insurance researcher. He’s interested in security because of the data breaches he studied.

The biggest threat to companies today is people who are skilled at manipulating others.

The most common type of social engineering is a phishing scam. In 2013, there were reported to be $5.9 billion in losses from close to 450,000 attacks.

Spam filters are useful for employees, but they don’t work with spear phishing. These attacks are less frequent but more targeted to specific high-value individuals — likely CEOs and CFOs. Spam filters can’t prevent these types of attacks.

It is important to educate employees about phishing and not open any e-mails that sound suspicious.

Steven J.J. Weisman, Esq.

social engineering attacks

@Scamicide

Steven J.J. Weisman is a lawyer and college professor, who teaches at Bentley University about White Collar Crime.

I advise companies to do the following in order to prevent social engineering attacks:

In major data breaches, the malware generally has to be downloaded into a company’s computers from an outside source. Usually, this is done through social engineering tactics that trick employees into clicking on links or downloading attachments.

They use an email marketing campaign to persuade employees.

  • Most of them try to make it look like the email is from a friend, but they’ve actually hacked their account.
  • They make it appear that the email comes from someone within the company, and they may have gotten their name or email address through a variety of databases like LinkedIn.
  • They gather information on targets by looking at their social media accounts, where they may have posted personal info that a hacker can use to contact them and trick them into clicking on a link.
  • The link is to a website where you can watch free pornography.
  • The link is to provide photos or gossip about celebrities.
  • The link is to provide sensational and compelling photographs or videos of an important news event.
  • The notification came from someone in IT security at the company.

These are just a few of the more common tactics that hackers use to penetrate company networks.

The best way to stop these people is by preventing them from getting jobs in the first place.

Train employees on my motto, “Trust me, you can’t trust anyone.” No one should ever provide personal information to anyone in response to a request until they have verified that the request is legitimate. No one should ever click on any link without confirming that it is legitimate.

It’s important to teach employees about the dangers of phishing and spear-phishing schemes, so they can be more vigilant when responding to emails.

It is important to keep up-to-date on the latest anti-virus and anti-malware software, but hackers are always one step ahead.

Employees should only have access to the information they need in order to do their job.

Make sure you use two-factor authentication and strong passwords that are changed on a regular basis.

Aurelian Neagu

social engineering attacks

@HeimdalSecurity

Aurelian Neagu, a technical writer with 6 years of experience in the cyber security field at Bitdefender and Heimdal Security, has been studying how technology changes human relationships within society.

A type of attack on a company is to use social engineering.

Diversity can come from both inside and outside the company.

Malicious insiders use social engineering to commit fraud.

According to PwC’s survey, 21% of current or former employees use social engineering for various reasons. Some do it just because they are curious and others out of revenge.

Social engineering methods can include:

  • Hacking into a company and stealing their passwords.
  • Using confidential information as a bargaining chip for trying to find another job or better position within the company.
  • Leaving the company and using confidential information for malicious purposes.

Cyber crime and hacking

  • Malicious outsiders try to trick employees into giving them information. They can do that by contacting someone over the phone, sending an email, or coming in person.
  • Social engineering relies on the confidence that cyber criminals have, and also their trust in reputable companies.
  • One way this information can be used is to gain the victim’s trust, which would then give them sensitive information.
  • Once the malware is inside, it can act in various ways. For example, if someone sends an employee a malicious email attachment like that before they open it and then clicks on ‘yes’ when asked to run or save the file (even though they don’t know what’s in there), their system could be compromised.
  • Cybercriminals use phishing to trick employees into giving up their credentials and sensitive information.

Social engineering can be used either to get information or infiltrate the company’s defenses and cause massive damage, as it happened in Target’s case in 2013.

In March 2015, there was a spear-phishing attack on Danish architecture firms.

With my first salespeople, I made the mistake of constantly testing pay and commission structure. I felt that with enough base pay and lucrative commissions, it would be enough motivation for them. With my first salespeople, I had this idea in mind: if they were paid well plus given high commissions and bonuses then their motivations wouldn’t need to change at all. But after giving some time to think about what happened over those few years- which led me back here again -it’s pretty clear that more is needed besides just compensation as an incentive behind building successful teams

How can you keep yourself from being social engineered?

  • The best way a company can protect itself from cyber security is to invest in educating its employees about it. If they know how to spot social engineering attempts and what the consequences are, they’ll be able to stop them before they happen.
  • Periodic cyber security assessments are necessary because companies change, grow, and evolve. When this happens, penetration testing should be carried out to find ways that can improve data safety across the organization.
  • For companies who haven’t done this yet, I always recommend that you define and implement a robust security policy. This is the type of investment worth making because it can have a huge impact on your organization by preventing cyber attacks.

Shobha Mallarapu

social engineering attacks

@anvayasolutions

Shobha Mallarapu is the president and CEO of Anvaya Solutions, Inc. The company trains employees on cyber security awareness in businesses around the world.

Companies are often attacked by social engineers who…

One of the most common scams is phishing, where an email impersonates a company or government organization to extract information from you. The hacker will use your login and password for sensitive accounts within the company, as well as hijack known emails by sending links that embed malware on your computer.

If someone calls you pretending to be a trusted source or authorized organization, they can make it seem like their call is something important and convince you to give them information that may hurt your company.

It’s important to remember that sharing too much information on social media can enable attackers to guess passwords or extract a company’s confidential information through posts by employees. Security Awareness is the key to preventing such incidents, and policies should be established with training for employees and measures like warnings or other disciplinary actions in place, especially for repeat offenders.

If you are not expecting an email, type the link address instead of clicking on it. Or, call a person to confirm that the email came from them before following any links or providing your personal information (phone number). The same principles apply to phone phishing attacks. Tell them you will call back and get their number by looking up the organization beforehand with Google Voice Lookup. If they do belong to a valid company, make sure to verify this over the phone before calling back.

Elvis Moreland

social engineering attacks

Elvis Moreland is a Computerworld magazine premier 100 IT leader and CISO.

The most common social engineering attack these days is…

The following are examples of paraphrases that do not match the original text. 

A spear-phishing attack is an email that seems to be from a company you know or trust but contains malicious content.

Countermeasure(s):

1. If you are not sure about the source of a link or attachment, do not open it. Report an unknown sender to your IT department.

2. If the email seems to be from a normal source, ask yourself “Why would they want me to open this link or attachment? Is that normal behavior?” If not, report it!

Before you send out any important email, check the source and content of it. If there is anything suspicious about the email or if you are not sure what to do with it, contact your IT security department.

There are many network security options for companies to protect themselves, including anti-spam filters and SMTP gateways with scanning or filtering mechanisms.

AV and firewalls are not enough to protect you from these types of attacks.

Greg Mancusi-Ungaro

social engineering attacks

@BrandProtect

Greg Mancusi-Ungaro is a passionate evangelist for emerging technologies, business practices, and customer-centricity. He has led marketing initiatives in the past with Active Risk, Savi Technologies, Sepaton Deltek Novell Ximian

Social engineering schemes in the past have included…

The stranded traveler scam is a social engineer sending an email to someone claiming they are in need of money. He or she will have access to your company’s emails and be able to create a convincing story for why they can’t use the company system.

A common social engineering attack outside of the business environment is to copy profiles, substitute headshots, and steal an entire online identity. Once they have a stolen identity, it’s only a matter of time before another malicious ask.

Social engineering schemes are the most sophisticated because they use your network to get inside. A social engineer can send you an email pretending to know someone in your company and asking for help getting a job, like sending their resume or cover letter.

Once a social engineer has gained the trust of one person, they’ll use that to gain access to other people or networks. Social engineers usually have their eyes on something bigger than what they’re targeting; it’s just an easy way for them to get what they want.

How can you stop social engineers from succeeding?
Article: What is happening with the Affordable Care Act and Congress right now?

As a company, the easiest way to protect your brand is by closely monitoring for unauthorized emails that use your logo. This will help you find out if someone has taken over one of your social domains and can be an indication of identity theft.

One of the easiest ways to reduce social engineering exposure is a simple way: if you’re not sure, don’t help. If they claim that they are your friend and want something from you, call them on their cell phone or email them using another account.

It might seem like common sense, but companies should invest in educating their employees about these and other risks. Just by raising awareness of the dangers, a lot of corporate risks will be reduced.

David Howard

social engineering attacks

David Howard has been a Certified Ethical Hacker since 2009 and is currently the founder of PPL Hack. David also offers free seminars across the country to teach small business owners how to protect their company data.

The most common types of social engineering attacks are phishing, vishing, and surfing.

As a Certified Ethical Hacker and founder of PPL HACK, I have done numerous intrusion attempts. One method is phishing email where you send out emails that look legitimate, but are actually trying to get the recipient to click on something or install some kind of malware.

One of the most common types of attack is called a wireless man in the middle. That’s when someone places their own WiFi access point inside your environment and all traffic goes through that person, who can then spy on it.

Oren Kedem

social engineering attacks

@BioCatch

With 15 years of experience in product management, Oren’s areas are web fraud detection and enterprise security. He has also served at various marketing positions for RSA (now part of EMC) and BMC covering the identify and access management solutions.

There are many common attacks on organizations, such as…

APTs are sophisticated attacks that involve two phases: reconnaissance and attack. Social engineering plays a big role in both of these phases.

Employees are tricked into thinking these attacks come from a trusted source. The attackers will call and email employees to perform actions that seem normal, such as approving transactions or sending contracts for signing.

The first step of an APT attack is reconnaissance. This can take months or even a year to complete, but the criminal patiently waits for this phase.

Social engineering is a type of attack where someone tries to convince you that it’s ok to install malicious software or open a web page. In one famous example, an HR administrator opened an excel sheet attached in an email from her boss with stats on employees’ salaries – but the spreadsheet was actually malware. A few months later, some code stolen from RSA was used as part of another social engineering phone call scam against Lockheed Martin.

So what can organizations do?

Make sure employees know the rules and have a clear understanding of what they’re supposed to do.

Don’t respond to unsolicited communications (email, phone) without verifying the person’s identity. The easiest way is to tell them you will call back and then verify their phone number.

Don’t ever open attachments or go to sites you don’t trust. Your company provides an “unsafe” computer that can be used for accessing any document, but it should never store sensitive data.

You should change your passwords and access them frequently, but unpredictably.

Article: There are many benefits of telecommuting, such as increased work-life balance, greater productivity for some jobs (such as graphic design), less stress on the environment from commuting traffic.

Share ‘war stories’ and industry experience with employees to help them become aware of the threats. They can’t be cautious if they are not aware of what’s out there.

Roberto Rodriguez

social engineering attacks

@HumanFirewalls

HumanFirewalls is an organization that offers security services for small-mid-sized companies. They offer a variety of different types of service, including Security Awareness Training which trains employees on how to recognize and respond to cyberattacks.

There are a few common types of social engineering attacks that companies need to be on the lookout for.

Phishing & Spear Phishing

Phishing emails are crafted to trick the user into downloading an attachment, clicking on a malicious link, or simply providing sensitive information. These emails can be sent out to an entire company without targeting specific people in that organization.

Cyber criminals are using phishing to break into organizations, and it is becoming more popular than ever. It was ranked #3 on the Verizon Report in 2014, showing that cybercriminals focus less on technology these days because they know how easy it can be to fool someone with social engineering tools like SET (Social Engineering Toolkit). Spam filters are great for stopping spam emails from getting through, but if an attacker knows what he or she is doing then you could easily get tricked by a phishing email. One perfect example would be receiving an email from your bank asking you to call a number provided in the email so they can change your ATM PIN – when really there’s no problem at all! The cyber criminal provides a number where he waits for people who follow his instructions and captures their audio video chat.

How to prevent it?

If a company is proactive about security, it will have a better awareness of the risks and how to reduce them. Security Awareness Training programs are especially helpful in making it easier for people to be aware of their surroundings.

Vishing (Voice and Phishing)

This is a very popular social-based attack that’s used in customer service departments. They might try to satisfy the customer over the phone and end up giving away information about possible targets, hours of operation, financial or personal information, even password resets.

How to prevent it?

You want to make sure that employees understand what information they can and cannot share. Technology such as NAC solutions limits the access of data without authorization.

Tailgating or Piggybacking

This is a social-based attack that involves an attacker without authorized access and an employee with a low level of awareness. The way it works is by having the unaware user, cooperate and provide the unauthorized person access to a restricted area. This is common in many organizations because there are always people such as delivery guys from different institutions dropping packages and interacting with unaware users, creating a level of comfort and making it a routine. Once again, technology such as swiping cards to get into elevators or open doors in big organizations not always work, and this is because all it takes is, “I forgot my badge, and I am late for a meeting. Would you mind?” To trick the user and gain access.

How to prevent it?

Security Awareness Training, where the user learns about company policies and how to avoid risky behavior in order to keep themselves safe.

Jayson Street

social engineering attacks

@JaysonStreet

Jayson is an Infosec Ranger at Pwnie Express, a well-known conference speaker, and author of the book “Dissecting the hack: The F0rb1dd3n Network.” Jayson has been with them since before they were acquired by General Dynamics Corp.

Here are some common social engineering attacks…

A common solution to all these problems is enhanced awareness and employee training. Companies need to include security practices as part of their job descriptions, train employees on how to think critically about suspicious activity, and then react appropriately when necessary.

One of the most common ways that hackers infiltrate your company is through spear phishing. They do this by sending emails to people in your network, making them seem like they are from someone you know and trust when really it’s a hacker pretending to be so.

2. The Rogue Technician: Stealthy social engineers often pretend to be technicians or delivery people, making it easy for them to walk right into the company and physically compromise the network.

3. Malicious Websites: Often, malicious websites are disguised as corporate or partner sites and will prompt visitors to update javaAdobe or install a specific plug-in.

Patricia Titus

social engineering attacks

@RUSecur

Patricia Titus has 20+ years of experience in security management, and she’s responsible for designing robust information security programs.

Titus recently served as the Vice President and Chief Information Security Officer at Freddie Mac. In this position, he helped to protect information assets while transforming their security program.

Even with all these technical solutions, the weakest link is usually…

Humans should be the ones to protect against this problem, but they need rigorous training and testing in order for it to work.

Common social engineering is when someone tricks or cons, employees to give up information that leads them into getting access to systems and criminal behavior, such as fraud.

To prevent social engineering attacks, it’s important to keep in mind people, processes, and technology. The following steps should be taken into consideration:

People

  • Create a security awareness program for your employees. Make it interactive and interesting to keep them engaged.
  • Create a company-wide campaign to promote social engineering awareness. Train employees, partners, and vendors about the risks of it so they can be prepared.
  • Make sure you have a framework and program for high-trust employees.
  • The employees have access to the most sensitive information in order to do their jobs.
  • They have more of a focus on training and testing than other companies.
  • The company performs background checks periodically, including random drug tests and credit score verification.

Process

  • Identify any data that could be sensitive or cause harm if exposed to social engineering. Then, have a third party assess the security gaps.
  • Decide how to handle sensitive information.
  • Report back to senior management on the results of your social engineering tests both good and bad.
  • I should be testing my employees for social engineering techniques, so I can catch them in the act.

Technology

The technology selection can be very diverse and specific to the data you want to protect from social engineering. It may involve one or more of these programs, but is not limited to them:
– Data encryption
– Hashing algorithms

  • Identity and access management
  • A system to monitor and report security incidents or events.
  • The technology is not signature-based.
  • Proxy blocking is a good way to keep your company secure and also avoid spam.
  • We monitor all incoming and outgoing communication for our employees.

Greg Scott

social engineering attacks

@DGregScott

Greg Scott is a veteran of the IT industry. He started his own company after working at Digital Equipment Corporation but then was bought out by another firm during the dot-com bust.

One of the most common social engineering attacks I’ve seen is…

I get a lot of phishing emails and they seem to come from Amazon, asking for me to open their .zip or document file up. Or sometimes the first names in the email will match someone I know so it makes them more believable.

I took a phone call this morning from somebody with an IP phone in my area code and they wanted to send me the $100 gift card for which I had requested last week. When I asked who it was, she said that her company fulfills orders from many customers and so she couldn’t tell me where the order came from.

And then there are those pesky phone scams that try to steal your information.

The best defense against this is to be vigilant. I make sure the email comes from, where it says and check for any signs of a scam.

Ondrej Krehel

social engineering attacks

@lifarsllc

Ondrej Krehel is the founder and principal of LIFARS LLC, an international cybersecurity firm. He has more than two decades of experience in computer security and digital forensics. His work has received attention from major news outlets like CNN, Reuters, The Wall Street Journal, and The New York Times.

Social engineering is usually done through email or phone calls. They are also used to get information on the company, such as passwords.

The phishing email tries to trick users into giving up information by looking like the real thing. It’s a popular way of obtaining sensitive information and credentials from people.

Spear phishing is a more sophisticated form of phishing. It’s usually targeted and the attacker will know information about you to make it seem like they’re someone official from your company, so when you click on something in the email, the malware installs onto your computer.

Phone scams are common. They can be part of a larger scam or they can happen on their own.

Part of a larger scam:

Imagine if your bank account credentials were stolen by hackers. You would be unable to transfer money without a unique code that gets sent to your phone.

As a standalone scam:

This is just one of many ways that social engineering can be used in the digital world to commit crimes and victimize innocent people.

Amichai Shulman

social engineering attacks

@Imperva

Amichai Shulman is the co-founder and CTO of Imperva. Amichi oversees security research for this company, which has been credited with discovering vulnerabilities in commercial Web applications.

Social engineering attacks include…

One of the most powerful tools in an attacker’s arsenal is social engineering. The problem with this type of attack is that it usually takes place over email, and there are a lot of misconceptions about how they work.

Cybercriminals rely on these mass scale infection campaigns, which can be more effective with smaller distribution lists

The other day, I got an email from a company that asked if they could send me something. They said it was urgent and would help with my life goals.

1. Try to match the email you send to your target audience, for example, if it is a birthday card then make sure that both spouses are mentioned in the text.

When I received an email from a company that had done business with me in the past, it looked like they were sending out information to everyone on their contact list. It was actually automated and wasn’t coming from them.

2. Spoofing

I recently received a fake email from the company I booked my trip with, which looked to have come from their address. It was actually sent by someone pretending to be them and it could trick many people into giving up information about themselves without realizing what they’re doing.

As the average employee, you’re going to click on things and download attachments. It’s your job to do that. Organizations need a security suite that can detect when something is wrong quickly and quarantine it before anything else happens.

Ken Simpson

social engineering attacks

@ttul

Ken Simpson is the co-founder and CEO of MailChannels. He has had a passion for software since his father brought home one of the first IBM PCs in 1980, teaching him how to write simple programs in BASIC. Since then he’s combined entrepreneurs with his skill set by participating as an early-stage employee at four different startups that have lasted long enough to be successful, including Voice over IP, Wireless Internet, etc., but mainly anti-spam.

A social engineer might use manipulation to get personal information, for example by pretending to be someone else.

With social engineering, an attacker may have certain information about the employees within a company and he uses that to learn something new – for instance, a password to an internal system. There is this misconception that once someone fakes their way in by pretending they’re from the cable company or some other entity, then all of these credit card numbers are immediately stolen. Professional cybercriminals extract one piece at a time slowly earning their way into deeper parts of organizations.

RSA was famously hacked via social engineering to gain access to the SecurID infrastructure. The first step was for them to send two phishing messages with Excel malware that executed a zero-day attack against their machines.

Spear phishing is the most common social engineering attack in today’s world. It often starts with a message that seems genuine, and if it gets through to one person then they’ll send out more messages until someone clicks on something or installs malware.

Kurt Simione

social engineering attacks

@TechnologySeed

Kurt started Technology Seed in 2000. He does a little bit of everything, and he loves the challenges that come with IT work. Kurt is often seen at UCLA Bruin games when his kids are playing.

The most common types of social engineering attacks that companies are faced with include…

Email scams haven’t changed much in recent years. They used to be random, but now they are more targeted and deliberate.

Find a company and do your research.

This is a different type of attack than previous ones. It’s not random, it targets specific people.

The attacker buys a domain name that is very similar to the target company’s so they can access it easier.

This new attack is significant because it actually costs the scammer money.

It is important to find the appropriate executives of a company before you start applying for jobs.

A scam is usually a well-written email from someone who wanted to exploit the trust of C-level executives. These emails are often sent when they’re too busy to properly vet their emails.

In the tech world, we find that no matter what steps are taken to protect people from scams or prevent them, end-user training is always best. If something doesn’t feel right or you’re unsure of it, pick up the phone and contact a trusted resource.

Luis A. Chapetti

social engineering attacks

@CudaSecurity

Luis Chapetti is an engineer and data scientist at Barracuda. He has various responsibilities, including IP reputation systems, Spydef databases on the Barracuda Real-time protection system.

If you want to prevent social engineering attacks, I recommend that…

Once upon a time, hackers and spammers would blast spam phishing emails to as many people as possible. Now they go after the most specific targets in order to get access through malicious attachments or links.

LinkedIn has given a lot of information about employees at any company, and Facebook can help in the attack by not only finding out who are the C-level executives, but also family members that might have access to devices or machines connected with their network.

To be safe, we recommend the following two things to use in social engineering: common knowledge and personal information.

  • I recommend using a mobile device management system that carries the same level of security as your headquarters. It will be on your phone, no matter where you are.
  • Limit the number of people that have access to sensitive data. Be sure only those with credentials can get into it.
  • Hackers can gain information or infect machines by sending out emails. A powerful filter will help protect you.
  • LinkedIn and Facebook should only be used to connect with people you know. It is not an easy way to get more friends or popularity on social media.
  • It is important to educate employees about the risks of these types of social engineering attacks. The more they know, the better off your company will be.

Nathan Maxwell

social engineering attacks

@CCI_team

Nathan Maxwell is a cyber security consultant, and he helps organizations accessmitigate risk so they are less vulnerable than the company next door.

Social engineering is a dangerous way for people to gain access into an organization.

The most important part of any company is its employees.

Hackers are using methods that have been the same for years. They leverage data from corporate breaches to create emails tailored specifically to you.

Creative emails will use unusual letter combinations, like “é” vs. “è”, to trick the recipient about who actually sent it.

The most effective way to protect against social engineering is through employee training. Employees should be instructed not to click on links and delete the email if it appears as though they are from Dropbox.

Additionally, it’s a great idea to use an email service that checks every web address as you click on them.

Kamyar Shah

social engineering attacks

@kshahwork

Kamyar Shah is a small business advisor who helps companies increase their productivity and profitability. He offers remote CMO, or Chief Marketing Officer services as well.

There are too many different social engineering attacks, to name them all, but the most successful ones have a few things in common…

The urgency for a deal is usually created by the potential benefits or penalties.

There are a lot of ways to minimize the impact of a sophisticated attack, but having education and backup is one way that will help reduce successful attacks. Continuous training can aid in reducing overall successful attacks.

Ian MacRae

social engineering attacks

@encomputers

Ian MacRae has been passionate about technology his entire life. He is an IT service provider in Washington DC and Virginia since 1997, providing computer repair services to customers. His favorite part of the job includes problem-solving and working with a variety of different people on various projects.

There are three types of social engineering attacks.

When I first began hiring salespeople, I just assumed pay along with commissions and bonuses would be enough motivation for them. With my first salespeople, however, I made the mistake of constantly testing out different payment structures in order to find what was best- a base salary or commission structure that included both large and small rewards throughout the year depending on performance? It turns out there is no one perfect answer to this question: some people work better when they’re motivated by money while others do not care so much about it as long as they have job security. Once we realized how little control we had over which type of person each individual employee wanted to be motivated by (and also once our finances allowed us more freedom), we went ahead and implemented an incentive system where employees were free choose their own form(s)of compensation based off company guidelines- either through a fixed wage or via commission rates set at specific percentages; whichever method worked for

2. Phishing is when someone sends an email that looks like it’s from your bank, to get you to divulge personal information.

The easiest way to avoid being a victim of fraud is to remember that if someone asks you for information or money, and it’s out of the ordinary, be cautious. Make sure they verify who they are by voice before completing any requests.

It’s important to be careful when clicking on links in emails. They might take you to a website that will ask for your information.

When I first got my computer, there were a lot of emails coming in from people pretending to be Microsoft or other companies and saying they had something for me. They wanted access to my computer so that they could get into all the stuff I was doing online.

3. Being held ransom.

You might receive an email saying: “We have your password and a compromising video of you, pay us or else.” There are a lot of ways to help prevent any of this from happening to you. First, when you get a new software or system, you need to be trained and not just on how to use it the first time. The training needs to be continual. Education is the best way to keep these criminals from playing into the fear of technology. For example, one of the measures we’ve used is phishing simulators to help people recognize malicious attempts.

If you have an IT help desk, good communication is the best way to prevent social engineering attacks. If not, talk with your provider about how they charge for services and what their hours are so that employees can feel comfortable picking up the phone when suspicious emails or texts come in.

Adnan Raja

social engineering attacks

@AtlanticNet

Adnan Raja is the Vice President of Marketing for Atlantic.net, a company that specializes in providing HIPAA-Compliant and Managed Cloud hosting.

Cyberattacks are very common in today’s digital workplaces.

The data breach often involves confidential information from a variety of employees, including the CEO and helpdesk colleagues.

A common attack is phishing when third parties try to impersonate a genuine source and send fraudulent communications in the hopes of extracting confidential data. An example would be pretending they are from banks or insurance companies.

Another common attack is whaling, which targets high-ranking executives. This type of cyber attack often relies on hackers who look for people with a higher turnover in their email account or those that have accidentally opened attachments from someone they don’t know.

Outsourcing IT operations to a provider who has an established reputation for security can help prevent social engineering attacks. They offer hardware protection and proactively monitor suspicious activity.

Brandon Schroth

social engineering attacks

@gwdatarecovery

Brandon Schroth is the Digital Manager at Gillware Data Recovery. He has a background in digital forensics and data recovery.

People who call helpdesks might be trying to trick them for information.

It is possible that a hacker will attempt to gain access to confidential information, such as bank account information. They may try this by asking for password resets or attempting to get more personal details from the call center employees.

Uladzislau Murashka

social engineering attacks

@ScienceSoft

Uladzislau Murashka is a Certified Ethical Hacker who has been working in the field of penetration testing for six years. His spheres of competence include reverse engineering, black box, white box, and gray-box application penetration tests as well as bug hunting and research work on Information Security.

Cyberattacks are the most common security threats that companies face. The types of attacks include social engineerings like phishing emails and identity theft.

Companies should also train their employees on how to use complex passwords and not log in with a company email address. This way if they get hacked, the hacker can’t access information from other sites.

The term “social engineering” is often used to describe a hacker’s attempt at obtaining unauthorized information by exploiting human trust or credulity. Phishing scams are an example of social engineering.


Protect Your Organization from Cybersecurity Threats

SecurityStudio help information security leaders at organizations ensure they’re protected against cybersecurity threats, stay insurable, and legally defensible with our risk assessment and risk management software. Schedule a demo to learn how we can help.

Social engineering is becoming more common and sophisticated. With hackers devising clever ways to fool company employees, companies need to use due diligence in order to stay two steps ahead of cybercriminals.

Social engineering attacks usually involve some form of psychological manipulation, and they’re tricky to prevent, and these are the most common form of social engineering used by hackers. 

We wanted to educate companies, employees, and end-users on how to better recognize social engineering efforts. We asked a panel of data security experts about the most common attacks being used today.

“What are the common social engineering attacks made on companies, and how can they be prevented?”

Here are a couple of the top insights from our experts:

  1. “We’re launching an initiative to make sure all job postings for entry-level positions have been reviewed by HR and that they meet EEOC compliance.”
  2. “Our company is working on making diversity training mandatory for managers, as well as providing unconscious bias training during onboarding.”

Protect Your Organization from Cybersecurity Threats

SecurityStudio help information security leaders at organizations ensure they’re protected against cybersecurity threats, stay insurable, and legally defensible with our risk assessment and risk management software. Schedule a demo to learn how we can help.


Social Engineering Techniques 

One way social engineering can occur is through email. You might receive an email that looks like it came from a credible company, but if you open the attachment or respond with your username and password, these devices are easily compromised.

What is social engineering attack?

Symantec Security Response’s technical director says that bad guys are not typically trying to exploit the vulnerabilities in Windows, but instead they target you through social engineering. This means it doesn’t matter if your computer is a PC or Mac because 97% of malware attacks try to trick users into opening malicious attachments.

Phishing

Phishing is one of the most common social engineering attacks, and it usually comes in two forms. Phishing or spear-phishing are both types of this attack based on current events disasters tax season.

Here are some of the worst examples of social engineering hacking:

Scammers are sending phishing emails claiming to come from a real law firm called ‘Baker & McKenzie’ and telling you that you’re scheduled for court. If the link is clicked, malware will be downloaded and installed on your computer.

Taxpayers are waiting to hear about their refunds before the April 15th deadline. Cybercriminals know this, and they’re using social engineering tactics to trick taxpayers into opening a Word file that contains ransomware.

A new phishing campaign was discovered through CareerBuilder. The attacker uploaded malicious attachments instead of résumés, forcing the job portal to act as a delivery vehicle for phishing emails.

The attacker used a known job site to target email recipients. The malware was deployed in stages.

The attack starts by submitting a malicious Word document (named resume.doc or cv.doc) to the job listing on Career Builder, and when someone submits an attachment to the posting, they will get notified of it.

A police department in Durham, New Hampshire was hit by ransomware last June when an employee clicked on a legitimate-looking email. Ransomware has also infected other departments, including Swansea and Tewksbury, MA; the Dickson County (Tennessee) Sheriff’s office; and more.

Here are some examples of social engineering scams:

One of the most common banking scams is a phishing email. Hackers send you an email that looks like it’s coming from your bank, but really they’re just trying to steal your info.

The Carbanak heist was reported on extensively in Feb 2015. It involved 30 countries and nearly a billion dollars worth of lost funds.

When the Carbanak scam happened, spear-phishing emails were sent to employees that infected workstations. The hackers tunneled deeper into bank systems until they controlled employee terminals and made cash transfers.

A scammer would send an email with a link that looked like it was coming from someone in the company. The links contained malicious code which infected all of your computers, and they recorded everything you did to learn how things were done at your organization. Then when they had mastered what goes on there, they commandeered them for their own purposes, including ATM hits, but also artificially inflating bank balances so customers’ balance went up by $1,000 or more before taking out some money.

This is a scam that will do damage to your computer. It’s common for companies who still use faxes, such as document management and insurance firms.

Dropbox Link Scam: Just wait until you see what’s in Dropbox.

One of the phishing emails was a fake Dropbox password reset that would lead users to an outdated browser message. When clicked, it launched malware.

Another email had a Dropbox link with CryptoWall ransomware.

A phony link, confirming your complaint is a scam. They want you to complain about something else, so they’ll have more information from you.

The company has used this for years. 

This is a scam. Vin Diesel has not died and this will be the link to your death.

This is a common trend. When celebrities die, some people will try and exploit their death with fake videos or links that lead to scam pages.

The other day, my staff attempted to social engineer me and catch me in a prank.

They attempted to get my credentials by contacting me. I received an email from the Director of HR that looked like it was sent from them, but they were actually trying to trick me and steal information.


HR@knowbe4.com

10:45 AM (1 hour ago)

to: stus

Stu,

I saw a user on the company’s security forum, who goes by “securitybull72” make some negative comments about our executive compensation and you, claiming that you are overpaid and incompetent. He gave details of his disagreements with us from a financial standpoint which may have inadvertently revealed confidential information to other people.

Some of the replies to this post were negative, but I understand that he has every right to his opinion. He should have expressed it through proper channels before posting on social media.

The first time I saw this, it reminded me of something. Here’s the link.

Could you please talk to him?

Thanks.


Nine out of ten would fall for this. I was lucky that when I hovered over the link, it said that it had been created by me – a simulated phishing attack.

Prevention is the best way to avoid any issues with diversity in your workplace. The most important thing you can do is make sure that there are no barriers for anyone trying to get a job, and then monitor how well they’re being treated once they’ve been hired.

Train users with an effective training program that routinely uses an integrated anti-phishing tool to make sure they are thinking about security.

Have a backup plan in case something goes wrong and make sure to test it regularly.

Some of the more common ways to break into a computer system are…

PHISHING

Phishing has become a problem in the last few years and it’s hard to fight against. Attackers usually send well-crafted emails with attachments that carry malicious payloads. They often use Tor or something like that, making them difficult to find.

RANSOMWARE

Recently, there has been an increase in the use of phishing emails with ransomware. The attackers often send out attachments that look like they are important files, but actually contain a virus.

Here are a few steps you can take to protect yourself from these dirty schemes:

  • Know your rights and know what is expected of you.
  • Don’t give personal information like bank account numbers, driver’s license numbers,s or social security numbers.
  • If you do not know the sender, never open an email in a spam folder or from someone you don’t know.
  • When you receive an email from a sender who is unknown to you, do not open the attachments they have sent.
  • To protect your computer, use reputable antivirus software like Kaspersky or Symantec.
  • Back up your data on an external hard drive or in the cloud.
  • When backing up, make sure to disconnect your backup drive from the computer. Current ransomware is known to encrypt both your primary and secondary drives.
  • The reason they keep using this type of blackmailing attack is that people are giving in. To try to get your data back, go see a professional.

How to prevent social engineering

  • Humans are the weakest link in a company. Companies should have at least bi-annual training for each user group so that everyone is up to date on new cyber attacks.
  • Employees should be tested by having an outside party conduct a social engineering test. This kind of testing will make them more aware and help to protect their data.
  • In response to the increase in these attacks, a number of security firms have new defenses that can block phishing attempts before they even reach your company’s internal servers. AppRiver is one such service.
  • If they get through, the best way to stop them is probably an endpoint protection system that can block the latest malware.
  • Cyphort’s IDSIPS system is a good last line of defense against known attacks and to detect how far they have invaded the network by signature, behavior, or community knowledge.

Organizations should know that when it comes to social engineering attacks, they need to be aware that email is the number one way to attack a company or individual. It’s used by everyone, even older employees who are less likely to be on social media and more prone to opening an email.

If an email is opened, the message has to be compelling enough for them to click on a link or open up any attachments. There are many strategies that have been successful including:

  • Fake email addresses are often used when sending out these types of emails. They may look very professional or seem to be from a company that the reader would trust.
  • A lot of companies are experiencing fake invoices, blocked payments, deliveries, or faxes.
  • Emails are designed to scare the recipient into clicking on a link in order for them to receive more information about whatever it is they’re trying to get you interested in.

Most companies put all of their defense efforts into software and hardware solutions to keep these threats from ever reaching employees. But this approach is flawed because most people connect the internet through email, Facebook, LinkedIn, Twitter or web pages at home or on mobile devices. Few companies also include employee education about identifying threats such as mouse-over skills and understanding the anatomy of an email address or domain name.

To prevent social engineering attacks, it is important to identify them.

When it comes to data theft, the most common source is from within. In 2013, $143 billion was lost as a result of this.

Social engineering is hard to prevent, but there are ways of detecting it. For instance, if you have a number of sensitive files and someone downloads them after hours or shares the file with others outside their group, that should be identified as suspicious behavior.

Article: A new study conducted by the United States Department of Labor found that workers who receive paid sick leave were less likely to go to work while they’re ill.

Today, there are many ways an attacker will try and compromise a corporate network, but in the end, it is the individual who has the most to lose. Attackers take whatever means necessary to break into networks and steal information; one of which is social engineering. Social engineering was responsible for some major attacks, including Sony’s 2014 hack as well as The White House last year. There are two common types of these attacks: phishing (using email) or vishing (voice-phishing).

One of the most common ways to get hacked is through a phishing attack. An individual will open an email that seems harmless but actually has malicious code in it, or they’ll download something from somewhere with malware on it.

Vishing is when someone pretends to be a company and calls you over the phone. With some information about your name or birthday, they may get all of your login credentials.

To protect a company, it’s important to teach employees what they should be looking for when receiving phone calls or emails. When an individual receives a call asking for information, he or she must establish the identity of the person without giving any hints about their personal details.

It’s important to know the basics in order to protect your digital identity from social engineering attacks.

  • Be careful when you get an email that: urges the user to provide personal or financial information with high urgency. Threatens the user if they don’t respond quickly.
  • The scammer will ask for personal or financial information in a high-pressure way, so be wary of anyone who seems too pushy.
  • Pop-ups are designed to scare the user into making an immediate purchase.
  • Is sent by unknown senders.
  • Keep a close eye on your bank account to make sure no unauthorized transactions have been made.
  • When you’re using public computers, don’t share personal information like passwords and credit card numbers.
  • Never click on links or download files from unknown senders.
  • If you’re going to make online transactions, be sure that the site is secure. You’ll know this if there’s a padlock next to it.
  • Never give out personal information over the phone, and never respond to emails asking for your account number or other important data.
  • Never send sensitive information such as personal and financial data through email.
  • When you get an email from a website that seems legitimate, watch out for links to web forms. Phishing websites are often exact replicas of legitimate ones.
  • Pop-ups can be dangerous and it’s important to never enter personal information or click on them.
  • It’s important to have the right defense systems in place, such as spam filters and anti-virus software.
  • Users of social networks should never post personal information or download uncertified applications. They also shouldn’t click on links and videos from unknown origins.

Keith Casey

social engineering attacks

@CaseySoftware

Keith Casey currently works as the director of product for Clarify.io, a company that helps make APIs easier and more consistent.

The most common form of social engineering attack is when hackers impersonate someone in the company, like a CEO or other high-level executive.

“I just need.” Basically, someone calls the company claiming to represent the phone company, internet provider, etc., and starts asking questions. They claim to have a simple problem or know about a problem that can be fixed quickly, but they just need one little thing. It could be as innocuous as asking for a username or someone’s schedule or as blatant as asking for a password. Once the attacker has this information, they call someone else in the company and use the new information to refine their attack. Lather, rinse, repeat.

Many people are tricked into giving away company information by pretending to be an employee. They get access to email accounts, phone records, and travel itineraries.

The best way to protect yourself when someone calls is not to give them your information. Instead, ask for their phone number and offer to call them back at that number.

You should never give your credit card number to someone who calls you. Call the company’s customer service line and they will help.

Joe Ferrara

social engineering attacks

@WombatSecurity

Joe Ferrara is the CEO of Wombat Security Technologies, and he’s been working in technology for 20 years. Recently Joe was a finalist for EY Entrepreneur Of The Year Western Pennsylvania and West Virginia, as well as receiving a CEO award from CEO World. He has spoken at numerous information security conferences around the world, including RSA Europe, CISO Executive Network forum, ISSA International., etc.

Here are some tips on how to protect against social engineering attacks.

Social engineering is a phenomenon that exploits human psychology to gain access to buildings, systems, and data. It’s so advanced now that technology solutions and policies alone cannot protect critical resources.

Companies should:

  • Make sure to take a baseline assessment of your employees’
  • Let employees know why they need to be discreet when it comes to company information.
  • A good way to start is by targeting the most risky employees andor common behaviors.
  • Give employees the power to make decisions about security instead of relying on a central authority.
  • Interactive training can be used to help increase knowledge retention. With short sessions that are convenient for employees’ busy schedules, these training will provide proven effective learning science principles.
  • Send automated reminders to employees about training deadlines.
  • With these reports, executives can easily see when knowledge is improving over time.

Companies need to focus on the human side of security more than just investing in technology defenses. Companies should be training their employees about current threats and how to avoid them.

Companies should use social engineering attacks to test their employees, and then train them on how to combat these types of scenarios. Having a security program in place can help protect your company from data breaches.

Sanjay Ramnath

social engineering attacks

@Barracuda

Sanjay Ramnath is the Senior Director of Product Management for Barracuda, a company that provides powerful and easy-to-use IT solutions.

When it comes to social engineering, I recommend…

The following is a list of paraphrases for the given article:
-I had no idea what was going on in my company.
-We were always looking at ways that we could motivate our employees more and different things would work better than others but they never lasted too long. We wanted something stable and reliable so people didn’t feel like their jobs were constantly being threatened with change.
-In hindsight, if I knew then what I know now about how much an employee’s livelihood affects his or her performance, there are some changes that might have helped me hire better salespeople from the beginning instead of just assuming pay plus commission bonuses would be enough motivation.With my first salespeople, all those tests made them less motivated because they felt as though every time we changed something new he only one who suffered financially which affected their productivity considerably.More recently when hiring someone into a management position where responsibilities include managing

Companies need to find a way to use social media for their business. They can’t just block these sites from the network.

Training is important, but it’s not enough. There are many ways to mitigate the risks of social media while allowing them to be used; for example, creating a code of conduct that everyone agrees on and having someone monitor what employees post online.

With Bring Your Own Device, network administrators are under a lot of pressure to protect the company’s network of devices that were not created with it in mind.

Social media is a zero-trust environment. You don’t know who you’re talking to, and often people’s guards are lowered when they use it.

In a case like social engineering, where people are subject to spear-phishing attacks and other scams before they even reach the network, it is good to have spam firewall and web filter in place as well as training for employees on how not fall prey.

byod is a growing problem, so it’s important for companies to have security solutions in place.

Alex Markowitz

social engineering attacks

@ChelseaTech

Alex Markowitz is a Systems Engineer for Chelsea Technologies, and he has 10 years of IT experience in the financial sector.

To prevent social engineering attacks, I suggest that companies…

The Power of No.

Google the top social engineering attacks. What do you get? Stories about Trojan Horses, phishing attacks, malware injections, redirects, spam, and people giving up way too much personal information on public websites. The surface area for social engineering attacks is as big as all the employees and users in your corporation. The best social engineering attack will involve nothing but an unnoticed slip or mistake from one user. I am going address the very specific aspect of internal security and leave you with the following: the most important protection you need in your company is the ability to say, “No.”

It is important to know the history of attacks, but that will not protect you. The attackers are always ahead of those who defend against them. A social engineer has an endless well of creativity and should be treated as such–technology changes, but humans do not.

I have noticed that there are always executives, managers, and other powerful people who want to be treated special. They refuse to follow the rules because they think it doesn’t apply to them or their family members.

They want things that will make their professional lives, even easier than we, in IT, struggle to make it. Unfortunately, in IT, we are in the habit of saying, “Yes.” I have seen directors and CTOs create special exceptions for other high-ranking users to garner favors and popularity, but also because they are scared for their own position. This is lazy; this is arrogant; this is stupid, but this is most of all, human. We human beings are the system attacked by social engineering, and then we leave ourselves open by falling prey to our insecurities, giving an attacker an invitation to storm our gates. All IT needs to learn how to say is “No,” and IT management needs to be strong and stubborn for the good of a company. One of the best ways to protect your company from social engineers is to learn how to say, “No.” Keep politics and climbing the office ladder out of IT security.

I know I am addressing a very specific aspect of IT, but one of the best ways to shrink your attack surface is to learn how to say, “No.” It takes strong leadership and determination from IT management to keep our protection streamlined. Only after our protection, is streamlined can we accurately educate our users and create a secure infrastructure. Every individual exception opens a Pandora’s Box for social engineers to find (or even just stumble upon) and exploit.

Robert Harrow

social engineering attacks

@robert_harrow

Robert Harrow is a credit card, home insurance, and health insurance researcher. He’s interested in security because of the data breaches he studied.

The biggest threat to companies today is people who are skilled at manipulating others.

The most common type of social engineering is a phishing scam. In 2013, there were reported to be $5.9 billion in losses from close to 450,000 attacks.

Spam filters are useful for employees, but they don’t work with spear phishing. These attacks are less frequent but more targeted to specific high-value individuals — likely CEOs and CFOs. Spam filters can’t prevent these types of attacks.

It is important to educate employees about phishing and not open any e-mails that sound suspicious.

Steven J.J. Weisman, Esq.

social engineering attacks

@Scamicide

Steven J.J. Weisman is a lawyer and college professor, who teaches at Bentley University about White Collar Crime.

I advise companies to do the following in order to prevent social engineering attacks:

In major data breaches, the malware generally has to be downloaded into a company’s computers from an outside source. Usually, this is done through social engineering tactics that trick employees into clicking on links or downloading attachments.

They use an email marketing campaign to persuade employees.

  • Most of them try to make it look like the email is from a friend, but they’ve actually hacked their account.
  • They make it appear that the email comes from someone within the company, and they may have gotten their name or email address through a variety of databases like LinkedIn.
  • They gather information on targets by looking at their social media accounts, where they may have posted personal info that a hacker can use to contact them and trick them into clicking on a link.
  • The link is to a website where you can watch free pornography.
  • The link is to provide photos or gossip about celebrities.
  • The link is to provide sensational and compelling photographs or videos of an important news event.
  • The notification came from someone in IT security at the company.

These are just a few of the more common tactics that hackers use to penetrate company networks.

The best way to stop these people is by preventing them from getting jobs in the first place.

Train employees on my motto, “Trust me, you can’t trust anyone.” No one should ever provide personal information to anyone in response to a request until they have verified that the request is legitimate. No one should ever click on any link without confirming that it is legitimate.

It’s important to teach employees about the dangers of phishing and spear-phishing schemes, so they can be more vigilant when responding to emails.

It is important to keep up-to-date on the latest anti-virus and anti-malware software, but hackers are always one step ahead.

Employees should only have access to the information they need in order to do their job.

Make sure you use two-factor authentication and strong passwords that are changed on a regular basis.

Aurelian Neagu

social engineering attacks

@HeimdalSecurity

Aurelian Neagu, a technical writer with 6 years of experience in the cyber security field at Bitdefender and Heimdal Security, has been studying how technology changes human relationships within society.

A type of attack on a company is to use social engineering.

Diversity can come from both inside and outside the company.

Malicious insiders use social engineering to commit fraud.

According to PwC’s survey, 21% of current or former employees use social engineering for various reasons. Some do it just because they are curious and others out of revenge.

Social engineering methods can include:

  • Hacking into a company and stealing their passwords.
  • Using confidential information as a bargaining chip for trying to find another job or better position within the company.
  • Leaving the company and using confidential information for malicious purposes.

Cyber crime and hacking

  • Malicious outsiders try to trick employees into giving them information. They can do that by contacting someone over the phone, sending an email, or coming in person.
  • Social engineering relies on the confidence that cyber criminals have, and also their trust in reputable companies.
  • One way this information can be used is to gain the victim’s trust, which would then give them sensitive information.
  • Once the malware is inside, it can act in various ways. For example, if someone sends an employee a malicious email attachment like that before they open it and then clicks on ‘yes’ when asked to run or save the file (even though they don’t know what’s in there), their system could be compromised.
  • Cybercriminals use phishing to trick employees into giving up their credentials and sensitive information.

Social engineering can be used either to get information or infiltrate the company’s defenses and cause massive damage, as it happened in Target’s case in 2013.

In March 2015, there was a spear-phishing attack on Danish architecture firms.

With my first salespeople, I made the mistake of constantly testing pay and commission structure. I felt that with enough base pay and lucrative commissions, it would be enough motivation for them. With my first salespeople, I had this idea in mind: if they were paid well plus given high commissions and bonuses then their motivations wouldn’t need to change at all. But after giving some time to think about what happened over those few years- which led me back here again -it’s pretty clear that more is needed besides just compensation as an incentive behind building successful teams

How can you keep yourself from being social engineered?

  • The best way a company can protect itself from cyber security is to invest in educating its employees about it. If they know how to spot social engineering attempts and what the consequences are, they’ll be able to stop them before they happen.
  • Periodic cyber security assessments are necessary because companies change, grow, and evolve. When this happens, penetration testing should be carried out to find ways that can improve data safety across the organization.
  • For companies who haven’t done this yet, I always recommend that you define and implement a robust security policy. This is the type of investment worth making because it can have a huge impact on your organization by preventing cyber attacks.

Shobha Mallarapu

social engineering attacks

@anvayasolutions

Shobha Mallarapu is the president and CEO of Anvaya Solutions, Inc. The company trains employees on cyber security awareness in businesses around the world.

Companies are often attacked by social engineers who…

One of the most common scams is phishing, where an email impersonates a company or government organization to extract information from you. The hacker will use your login and password for sensitive accounts within the company, as well as hijack known emails by sending links that embed malware on your computer.

If someone calls you pretending to be a trusted source or authorized organization, they can make it seem like their call is something important and convince you to give them information that may hurt your company.

It’s important to remember that sharing too much information on social media can enable attackers to guess passwords or extract a company’s confidential information through posts by employees. Security Awareness is the key to preventing such incidents, and policies should be established with training for employees and measures like warnings or other disciplinary actions in place, especially for repeat offenders.

If you are not expecting an email, type the link address instead of clicking on it. Or, call a person to confirm that the email came from them before following any links or providing your personal information (phone number). The same principles apply to phone phishing attacks. Tell them you will call back and get their number by looking up the organization beforehand with Google Voice Lookup. If they do belong to a valid company, make sure to verify this over the phone before calling back.

Elvis Moreland

social engineering attacks

Elvis Moreland is a Computerworld magazine premier 100 IT leader and CISO.

The most common social engineering attack these days is…

The following are examples of paraphrases that do not match the original text. 

A spear-phishing attack is an email that seems to be from a company you know or trust but contains malicious content.

Countermeasure(s):

1. If you are not sure about the source of a link or attachment, do not open it. Report an unknown sender to your IT department.

2. If the email seems to be from a normal source, ask yourself “Why would they want me to open this link or attachment? Is that normal behavior?” If not, report it!

Before you send out any important email, check the source and content of it. If there is anything suspicious about the email or if you are not sure what to do with it, contact your IT security department.

There are many network security options for companies to protect themselves, including anti-spam filters and SMTP gateways with scanning or filtering mechanisms.

AV and firewalls are not enough to protect you from these types of attacks.

Greg Mancusi-Ungaro

social engineering attacks

@BrandProtect

Greg Mancusi-Ungaro is a passionate evangelist for emerging technologies, business practices, and customer-centricity. He has led marketing initiatives in the past with Active Risk, Savi Technologies, Sepaton Deltek Novell Ximian

Social engineering schemes in the past have included…

The stranded traveler scam is a social engineer sending an email to someone claiming they are in need of money. He or she will have access to your company’s emails and be able to create a convincing story for why they can’t use the company system.

A common social engineering attack outside of the business environment is to copy profiles, substitute headshots, and steal an entire online identity. Once they have a stolen identity, it’s only a matter of time before another malicious ask.

Social engineering schemes are the most sophisticated because they use your network to get inside. A social engineer can send you an email pretending to know someone in your company and asking for help getting a job, like sending their resume or cover letter.

Once a social engineer has gained the trust of one person, they’ll use that to gain access to other people or networks. Social engineers usually have their eyes on something bigger than what they’re targeting; it’s just an easy way for them to get what they want.

How can you stop social engineers from succeeding?
Article: What is happening with the Affordable Care Act and Congress right now?

As a company, the easiest way to protect your brand is by closely monitoring for unauthorized emails that use your logo. This will help you find out if someone has taken over one of your social domains and can be an indication of identity theft.

One of the easiest ways to reduce social engineering exposure is a simple way: if you’re not sure, don’t help. If they claim that they are your friend and want something from you, call them on their cell phone or email them using another account.

It might seem like common sense, but companies should invest in educating their employees about these and other risks. Just by raising awareness of the dangers, a lot of corporate risks will be reduced.

David Howard

social engineering attacks

David Howard has been a Certified Ethical Hacker since 2009 and is currently the founder of PPL Hack. David also offers free seminars across the country to teach small business owners how to protect their company data.

The most common types of social engineering attacks are phishing, vishing, and surfing.

As a Certified Ethical Hacker and founder of PPL HACK, I have done numerous intrusion attempts. One method is phishing email where you send out emails that look legitimate, but are actually trying to get the recipient to click on something or install some kind of malware.

One of the most common types of attack is called a wireless man in the middle. That’s when someone places their own WiFi access point inside your environment and all traffic goes through that person, who can then spy on it.

Oren Kedem

social engineering attacks

@BioCatch

With 15 years of experience in product management, Oren’s areas are web fraud detection and enterprise security. He has also served at various marketing positions for RSA (now part of EMC) and BMC covering the identify and access management solutions.

There are many common attacks on organizations, such as…

APTs are sophisticated attacks that involve two phases: reconnaissance and attack. Social engineering plays a big role in both of these phases.

Employees are tricked into thinking these attacks come from a trusted source. The attackers will call and email employees to perform actions that seem normal, such as approving transactions or sending contracts for signing.

The first step of an APT attack is reconnaissance. This can take months or even a year to complete, but the criminal patiently waits for this phase.

Social engineering is a type of attack where someone tries to convince you that it’s ok to install malicious software or open a web page. In one famous example, an HR administrator opened an excel sheet attached in an email from her boss with stats on employees’ salaries – but the spreadsheet was actually malware. A few months later, some code stolen from RSA was used as part of another social engineering phone call scam against Lockheed Martin.

So what can organizations do?

Make sure employees know the rules and have a clear understanding of what they’re supposed to do.

Don’t respond to unsolicited communications (email, phone) without verifying the person’s identity. The easiest way is to tell them you will call back and then verify their phone number.

Don’t ever open attachments or go to sites you don’t trust. Your company provides an “unsafe” computer that can be used for accessing any document, but it should never store sensitive data.

You should change your passwords and access them frequently, but unpredictably.

Article: There are many benefits of telecommuting, such as increased work-life balance, greater productivity for some jobs (such as graphic design), less stress on the environment from commuting traffic.

Share ‘war stories’ and industry experience with employees to help them become aware of the threats. They can’t be cautious if they are not aware of what’s out there.

Roberto Rodriguez

social engineering attacks

@HumanFirewalls

HumanFirewalls is an organization that offers security services for small-mid-sized companies. They offer a variety of different types of service, including Security Awareness Training which trains employees on how to recognize and respond to cyberattacks.

There are a few common types of social engineering attacks that companies need to be on the lookout for.

Phishing & Spear Phishing

Phishing emails are crafted to trick the user into downloading an attachment, clicking on a malicious link, or simply providing sensitive information. These emails can be sent out to an entire company without targeting specific people in that organization.

Cyber criminals are using phishing to break into organizations, and it is becoming more popular than ever. It was ranked #3 on the Verizon Report in 2014, showing that cybercriminals focus less on technology these days because they know how easy it can be to fool someone with social engineering tools like SET (Social Engineering Toolkit). Spam filters are great for stopping spam emails from getting through, but if an attacker knows what he or she is doing then you could easily get tricked by a phishing email. One perfect example would be receiving an email from your bank asking you to call a number provided in the email so they can change your ATM PIN – when really there’s no problem at all! The cyber criminal provides a number where he waits for people who follow his instructions and captures their audio video chat.

How to prevent it?

If a company is proactive about security, it will have a better awareness of the risks and how to reduce them. Security Awareness Training programs are especially helpful in making it easier for people to be aware of their surroundings.

Vishing (Voice and Phishing)

This is a very popular social-based attack that’s used in customer service departments. They might try to satisfy the customer over the phone and end up giving away information about possible targets, hours of operation, financial or personal information, even password resets.

How to prevent it?

You want to make sure that employees understand what information they can and cannot share. Technology such as NAC solutions limits the access of data without authorization.

Tailgating or Piggybacking

This is a social-based attack that involves an attacker without authorized access and an employee with a low level of awareness. The way it works is by having the unaware user, cooperate and provide the unauthorized person access to a restricted area. This is common in many organizations because there are always people such as delivery guys from different institutions dropping packages and interacting with unaware users, creating a level of comfort and making it a routine. Once again, technology such as swiping cards to get into elevators or open doors in big organizations not always work, and this is because all it takes is, “I forgot my badge, and I am late for a meeting. Would you mind?” To trick the user and gain access.

How to prevent it?

Security Awareness Training, where the user learns about company policies and how to avoid risky behavior in order to keep themselves safe.

Jayson Street

social engineering attacks

@JaysonStreet

Jayson is an Infosec Ranger at Pwnie Express, a well-known conference speaker, and author of the book “Dissecting the hack: The F0rb1dd3n Network.” Jayson has been with them since before they were acquired by General Dynamics Corp.

Here are some common social engineering attacks…

A common solution to all these problems is enhanced awareness and employee training. Companies need to include security practices as part of their job descriptions, train employees on how to think critically about suspicious activity, and then react appropriately when necessary.

One of the most common ways that hackers infiltrate your company is through spear phishing. They do this by sending emails to people in your network, making them seem like they are from someone you know and trust when really it’s a hacker pretending to be so.

2. The Rogue Technician: Stealthy social engineers often pretend to be technicians or delivery people, making it easy for them to walk right into the company and physically compromise the network.

3. Malicious Websites: Often, malicious websites are disguised as corporate or partner sites and will prompt visitors to update javaAdobe or install a specific plug-in.

Patricia Titus

social engineering attacks

@RUSecur

Patricia Titus has 20+ years of experience in security management, and she’s responsible for designing robust information security programs.

Titus recently served as the Vice President and Chief Information Security Officer at Freddie Mac. In this position, he helped to protect information assets while transforming their security program.

Even with all these technical solutions, the weakest link is usually…

Humans should be the ones to protect against this problem, but they need rigorous training and testing in order for it to work.

Common social engineering is when someone tricks or cons, employees to give up information that leads them into getting access to systems and criminal behavior, such as fraud.

To prevent social engineering attacks, it’s important to keep in mind people, processes, and technology. The following steps should be taken into consideration:

People

  • Create a security awareness program for your employees. Make it interactive and interesting to keep them engaged.
  • Create a company-wide campaign to promote social engineering awareness. Train employees, partners, and vendors about the risks of it so they can be prepared.
  • Make sure you have a framework and program for high-trust employees.
  • The employees have access to the most sensitive information in order to do their jobs.
  • They have more of a focus on training and testing than other companies.
  • The company performs background checks periodically, including random drug tests and credit score verification.

Process

  • Identify any data that could be sensitive or cause harm if exposed to social engineering. Then, have a third party assess the security gaps.
  • Decide how to handle sensitive information.
  • Report back to senior management on the results of your social engineering tests both good and bad.
  • I should be testing my employees for social engineering techniques, so I can catch them in the act.

Technology

The technology selection can be very diverse and specific to the data you want to protect from social engineering. It may involve one or more of these programs, but is not limited to them:
– Data encryption
– Hashing algorithms

  • Identity and access management
  • A system to monitor and report security incidents or events.
  • The technology is not signature-based.
  • Proxy blocking is a good way to keep your company secure and also avoid spam.
  • We monitor all incoming and outgoing communication for our employees.

Greg Scott

social engineering attacks

@DGregScott

Greg Scott is a veteran of the IT industry. He started his own company after working at Digital Equipment Corporation but then was bought out by another firm during the dot-com bust.

One of the most common social engineering attacks I’ve seen is…

I get a lot of phishing emails and they seem to come from Amazon, asking for me to open their .zip or document file up. Or sometimes the first names in the email will match someone I know so it makes them more believable.

I took a phone call this morning from somebody with an IP phone in my area code and they wanted to send me the $100 gift card for which I had requested last week. When I asked who it was, she said that her company fulfills orders from many customers and so she couldn’t tell me where the order came from.

And then there are those pesky phone scams that try to steal your information.

The best defense against this is to be vigilant. I make sure the email comes from, where it says and check for any signs of a scam.

Ondrej Krehel

social engineering attacks

@lifarsllc

Ondrej Krehel is the founder and principal of LIFARS LLC, an international cybersecurity firm. He has more than two decades of experience in computer security and digital forensics. His work has received attention from major news outlets like CNN, Reuters, The Wall Street Journal, and The New York Times.

Social engineering is usually done through email or phone calls. They are also used to get information on the company, such as passwords.

The phishing email tries to trick users into giving up information by looking like the real thing. It’s a popular way of obtaining sensitive information and credentials from people.

Spear phishing is a more sophisticated form of phishing. It’s usually targeted and the attacker will know information about you to make it seem like they’re someone official from your company, so when you click on something in the email, the malware installs onto your computer.

Phone scams are common. They can be part of a larger scam or they can happen on their own.

Part of a larger scam:

Imagine if your bank account credentials were stolen by hackers. You would be unable to transfer money without a unique code that gets sent to your phone.

As a standalone scam:

This is just one of many ways that social engineering can be used in the digital world to commit crimes and victimize innocent people.

Amichai Shulman

social engineering attacks

@Imperva

Amichai Shulman is the co-founder and CTO of Imperva. Amichi oversees security research for this company, which has been credited with discovering vulnerabilities in commercial Web applications.

Social engineering attacks include…

One of the most powerful tools in an attacker’s arsenal is social engineering. The problem with this type of attack is that it usually takes place over email, and there are a lot of misconceptions about how they work.

Cybercriminals rely on these mass scale infection campaigns, which can be more effective with smaller distribution lists

The other day, I got an email from a company that asked if they could send me something. They said it was urgent and would help with my life goals.

1. Try to match the email you send to your target audience, for example, if it is a birthday card then make sure that both spouses are mentioned in the text.

When I received an email from a company that had done business with me in the past, it looked like they were sending out information to everyone on their contact list. It was actually automated and wasn’t coming from them.

2. Spoofing

I recently received a fake email from the company I booked my trip with, which looked to have come from their address. It was actually sent by someone pretending to be them and it could trick many people into giving up information about themselves without realizing what they’re doing.

As the average employee, you’re going to click on things and download attachments. It’s your job to do that. Organizations need a security suite that can detect when something is wrong quickly and quarantine it before anything else happens.

Ken Simpson

social engineering attacks

@ttul

Ken Simpson is the co-founder and CEO of MailChannels. He has had a passion for software since his father brought home one of the first IBM PCs in 1980, teaching him how to write simple programs in BASIC. Since then he’s combined entrepreneurs with his skill set by participating as an early-stage employee at four different startups that have lasted long enough to be successful, including Voice over IP, Wireless Internet, etc., but mainly anti-spam.

A social engineer might use manipulation to get personal information, for example by pretending to be someone else.

With social engineering, an attacker may have certain information about the employees within a company and he uses that to learn something new – for instance, a password to an internal system. There is this misconception that once someone fakes their way in by pretending they’re from the cable company or some other entity, then all of these credit card numbers are immediately stolen. Professional cybercriminals extract one piece at a time slowly earning their way into deeper parts of organizations.

RSA was famously hacked via social engineering to gain access to the SecurID infrastructure. The first step was for them to send two phishing messages with Excel malware that executed a zero-day attack against their machines.

Spear phishing is the most common social engineering attack in today’s world. It often starts with a message that seems genuine, and if it gets through to one person then they’ll send out more messages until someone clicks on something or installs malware.

Kurt Simione

social engineering attacks

@TechnologySeed

Kurt started Technology Seed in 2000. He does a little bit of everything, and he loves the challenges that come with IT work. Kurt is often seen at UCLA Bruin games when his kids are playing.

The most common types of social engineering attacks that companies are faced with include…

Email scams haven’t changed much in recent years. They used to be random, but now they are more targeted and deliberate.

Find a company and do your research.

This is a different type of attack than previous ones. It’s not random, it targets specific people.

The attacker buys a domain name that is very similar to the target company’s so they can access it easier.

This new attack is significant because it actually costs the scammer money.

It is important to find the appropriate executives of a company before you start applying for jobs.

A scam is usually a well-written email from someone who wanted to exploit the trust of C-level executives. These emails are often sent when they’re too busy to properly vet their emails.

In the tech world, we find that no matter what steps are taken to protect people from scams or prevent them, end-user training is always best. If something doesn’t feel right or you’re unsure of it, pick up the phone and contact a trusted resource.

Luis A. Chapetti

social engineering attacks

@CudaSecurity

Luis Chapetti is an engineer and data scientist at Barracuda. He has various responsibilities, including IP reputation systems, Spydef databases on the Barracuda Real-time protection system.

If you want to prevent social engineering attacks, I recommend that…

Once upon a time, hackers and spammers would blast spam phishing emails to as many people as possible. Now they go after the most specific targets in order to get access through malicious attachments or links.

LinkedIn has given a lot of information about employees at any company, and Facebook can help in the attack by not only finding out who are the C-level executives, but also family members that might have access to devices or machines connected with their network.

To be safe, we recommend the following two things to use in social engineering: common knowledge and personal information.

  • I recommend using a mobile device management system that carries the same level of security as your headquarters. It will be on your phone, no matter where you are.
  • Limit the number of people that have access to sensitive data. Be sure only those with credentials can get into it.
  • Hackers can gain information or infect machines by sending out emails. A powerful filter will help protect you.
  • LinkedIn and Facebook should only be used to connect with people you know. It is not an easy way to get more friends or popularity on social media.
  • It is important to educate employees about the risks of these types of social engineering attacks. The more they know, the better off your company will be.

Nathan Maxwell

social engineering attacks

@CCI_team

Nathan Maxwell is a cyber security consultant, and he helps organizations accessmitigate risk so they are less vulnerable than the company next door.

Social engineering is a dangerous way for people to gain access into an organization.

The most important part of any company is its employees.

Hackers are using methods that have been the same for years. They leverage data from corporate breaches to create emails tailored specifically to you.

Creative emails will use unusual letter combinations, like “é” vs. “è”, to trick the recipient about who actually sent it.

The most effective way to protect against social engineering is through employee training. Employees should be instructed not to click on links and delete the email if it appears as though they are from Dropbox.

Additionally, it’s a great idea to use an email service that checks every web address as you click on them.

Kamyar Shah

social engineering attacks

@kshahwork

Kamyar Shah is a small business advisor who helps companies increase their productivity and profitability. He offers remote CMO, or Chief Marketing Officer services as well.

There are too many different social engineering attacks, to name them all, but the most successful ones have a few things in common…

The urgency for a deal is usually created by the potential benefits or penalties.

There are a lot of ways to minimize the impact of a sophisticated attack, but having education and backup is one way that will help reduce successful attacks. Continuous training can aid in reducing overall successful attacks.

Ian MacRae

social engineering attacks

@encomputers

Ian MacRae has been passionate about technology his entire life. He is an IT service provider in Washington DC and Virginia since 1997, providing computer repair services to customers. His favorite part of the job includes problem-solving and working with a variety of different people on various projects.

There are three types of social engineering attacks.

When I first began hiring salespeople, I just assumed pay along with commissions and bonuses would be enough motivation for them. With my first salespeople, however, I made the mistake of constantly testing out different payment structures in order to find what was best- a base salary or commission structure that included both large and small rewards throughout the year depending on performance? It turns out there is no one perfect answer to this question: some people work better when they’re motivated by money while others do not care so much about it as long as they have job security. Once we realized how little control we had over which type of person each individual employee wanted to be motivated by (and also once our finances allowed us more freedom), we went ahead and implemented an incentive system where employees were free choose their own form(s)of compensation based off company guidelines- either through a fixed wage or via commission rates set at specific percentages; whichever method worked for

2. Phishing is when someone sends an email that looks like it’s from your bank, to get you to divulge personal information.

The easiest way to avoid being a victim of fraud is to remember that if someone asks you for information or money, and it’s out of the ordinary, be cautious. Make sure they verify who they are by voice before completing any requests.

It’s important to be careful when clicking on links in emails. They might take you to a website that will ask for your information.

When I first got my computer, there were a lot of emails coming in from people pretending to be Microsoft or other companies and saying they had something for me. They wanted access to my computer so that they could get into all the stuff I was doing online.

3. Being held ransom.

You might receive an email saying: “We have your password and a compromising video of you, pay us or else.” There are a lot of ways to help prevent any of this from happening to you. First, when you get a new software or system, you need to be trained and not just on how to use it the first time. The training needs to be continual. Education is the best way to keep these criminals from playing into the fear of technology. For example, one of the measures we’ve used is phishing simulators to help people recognize malicious attempts.

If you have an IT help desk, good communication is the best way to prevent social engineering attacks. If not, talk with your provider about how they charge for services and what their hours are so that employees can feel comfortable picking up the phone when suspicious emails or texts come in.

Adnan Raja

social engineering attacks

@AtlanticNet

Adnan Raja is the Vice President of Marketing for Atlantic.net, a company that specializes in providing HIPAA-Compliant and Managed Cloud hosting.

Cyberattacks are very common in today’s digital workplaces.

The data breach often involves confidential information from a variety of employees, including the CEO and helpdesk colleagues.

A common attack is phishing when third parties try to impersonate a genuine source and send fraudulent communications in the hopes of extracting confidential data. An example would be pretending they are from banks or insurance companies.

Another common attack is whaling, which targets high-ranking executives. This type of cyber attack often relies on hackers who look for people with a higher turnover in their email account or those that have accidentally opened attachments from someone they don’t know.

Outsourcing IT operations to a provider who has an established reputation for security can help prevent social engineering attacks. They offer hardware protection and proactively monitor suspicious activity.

Brandon Schroth

social engineering attacks

@gwdatarecovery

Brandon Schroth is the Digital Manager at Gillware Data Recovery. He has a background in digital forensics and data recovery.

People who call helpdesks might be trying to trick them for information.

It is possible that a hacker will attempt to gain access to confidential information, such as bank account information. They may try this by asking for password resets or attempting to get more personal details from the call center employees.

Uladzislau Murashka

social engineering attacks

@ScienceSoft

Uladzislau Murashka is a Certified Ethical Hacker who has been working in the field of penetration testing for six years. His spheres of competence include reverse engineering, black box, white box, and gray-box application penetration tests as well as bug hunting and research work on Information Security.

Cyberattacks are the most common security threats that companies face. The types of attacks include social engineerings like phishing emails and identity theft.

Companies should also train their employees on how to use complex passwords and not log in with a company email address. This way if they get hacked, the hacker can’t access information from other sites.

The term “social engineering” is often used to describe a hacker’s attempt at obtaining unauthorized information by exploiting human trust or credulity. Phishing scams are an example of social engineering.


Protect Your Organization from Cybersecurity Threats

SecurityStudio help information security leaders at organizations ensure they’re protected against cybersecurity threats, stay insurable, and legally defensible with our risk assessment and risk management software. Schedule a demo to learn how we can help.