Do you have iron-clad defense systems in place to secure your organization? If your employees aren’t trained to recognize some of the most common social engineering tricks, your system still has a wide-open gap.
These tactics help criminals fool unsuspecting employees by getting them to hand over the goods. Social engineers seek access to information, systems or secure buildings — and these criminals get what they want by taking advantage of human psychology.
How to Spot Common Social Engineering Tricks
What are some of the most common tricks used by social engineers? Explore four that frequently trip up well-meaning employees — and learn how to educate users so they can be prepared to ward off these nefarious methods.
1. Going Phishing
Phishing has been around since near the beginning of email — and it is sadly not going anywhere. Approximately 250 million phishing redirection attempts were detected by security firm Kaspersky in 2017. Phishing techniques have evolved and become more sophisticated over the years. Spear phishing, for example, refers to a phishing email that is created with specific information intended to fool a specific target.
According to the Infosec Institute, attackers use email, SMS, social media and instant messaging to trick victims into providing sensitive information or visiting a malicious URL in an attempt to compromise their systems.
Do any of these email subject lines sound familiar?
- Your account has been locked! Click here to gain access and unlock it.
- You owe the Internal Revenue Service $2,300 in taxes. See the notice in this attachment — pay now or face jail time!
- Someone sent you $1,000. Click here to claim your money!
What can you do to combat this trick? Educate employees to notice the hallmarks of phishing emails (e.g., misspellings) and make sure they understand that certain official transactions just don’t take place via email. A bank, for example, will never email to advise of an account lock. If the employee is concerned, he or she should contact their bank directly and never click on a link or an attachment in a suspicious email.
2. The Other Kind of Tailgating
Gaining access to a secure office or building is often just as lucrative for a criminal as getting into a computer. Many social engineers take advantage of smoking areas or busy doorways to trick employees into letting them into unauthorized places.
The ruse goes like this: The criminal smokes a cigarette in an area where smokers who work in the building take their breaks. When the employees finish, the attacker slips in with them when they use their access badges to open the door. No one suspects the casual fellow smoker! Tripwire outlined another technique that involves a social engineer posing as a delivery person.
What can you do to combat this trick? Let employees know that even if someone looks OK, it is important to follow the rules for building access. If someone asks to be let in because he or she has a delivery — or because he or she claims to have forgotten their access badge — the employee must verify their identity first.
3. Crank Call: Phone Impersonation
One common scenario involves a social engineer who calls and claims to be IT support.
“Hello, this is the help desk,” he or she will say. “We’re noticing some strange activity to your machine. We need access.”
The helpful employee will begin to work with the technically savvy criminal to allow him or her remote access. Then, it’s all over! Once he or she gets into the machine, the social engineer has access to all the files and systems.
According to CSO, a social engineer might also call and pretend to be a fellow employee or a trusted outside authority, such as a law enforcement officer or an auditor. A social engineer might learn the corporate lingo to make the person on the other end think he or she is an insider. Another successful technique involves recording the “hold” music a company uses.
What can you do to combat this trick? Employees should be aware that phone scams are a common tactic of criminals. As with tailgating, they must be trained to verify. That doesn’t mean calling the person back at a number he or she provides — because criminals are prepared for this. It means getting off the call, calling the corporate number listed for the actual help desk and asking them to confirm someone is trying to reach them about their machine.
4. Oversharing: Social Media Pretexting
Criminals often create fake social media profiles to collect information from people they connect with for later use. By learning more about their targets (e.g., where they work, where they live, whom they know), criminals can send convincing messages asking for money — or encouraging their victims to click on malicious links or download malware-laden documents. On LinkedIn, for example, a criminal might send fake job inquiry with bad links in the message.
What can you do to combat this trick? Employees must understand that the more they post about themselves on social media, the more information they are giving to potential hackers. This information can be used to exploit them or their employer. While sharing is the wonderful experience inherent to social media use, it also comes with risks. A user should always have their guard up during interactions with new connections, and all communications should be verified. Privacy controls should be checked regularly and secured as tightly as possible.
Social engineers will always have a new trick up their sleeves but learning about some of the most common tactics could help you — and your employees — stay one step ahead of modern criminals.
Listen to the podcast: Social Engineering 101 — How to Hack a Human