Light Dark
May 21, 2018 By Joan Goodchild 4 min read
Fraud Protection
Data Protection

Do you have iron-clad defense systems in place to secure your organization? If your employees aren’t trained to recognize some of the most common social engineering tricks, your system still has a wide-open gap.

These tactics help criminals fool unsuspecting employees by getting them to hand over the goods. Social engineers seek access to information, systems or secure buildings — and these criminals get what they want by taking advantage of human psychology.

How to Spot Common Social Engineering Tricks

What are some of the most common tricks used by social engineers? Explore four that frequently trip up well-meaning employees — and learn how to educate users so they can be prepared to ward off these nefarious methods.

1. Going Phishing

Phishing has been around since near the beginning of email — and it is sadly not going anywhere. Approximately 250 million phishing redirection attempts were detected by security firm Kaspersky in 2017. Phishing techniques have evolved and become more sophisticated over the years. Spear phishing, for example, refers to a phishing email that is created with specific information intended to fool a specific target.

According to the Infosec Institute, attackers use email, SMS, social media and instant messaging to trick victims into providing sensitive information or visiting a malicious URL in an attempt to compromise their systems.

Do any of these email subject lines sound familiar?

  • Your account has been locked! Click here to gain access and unlock it.
  • You owe the Internal Revenue Service $2,300 in taxes. See the notice in this attachment — pay now or face jail time!
  • Someone sent you $1,000. Click here to claim your money!

What can you do to combat this trick? Educate employees to notice the hallmarks of phishing emails (e.g., misspellings) and make sure they understand that certain official transactions just don’t take place via email. A bank, for example, will never email to advise of an account lock. If the employee is concerned, he or she should contact their bank directly and never click on a link or an attachment in a suspicious email.

2. The Other Kind of Tailgating

Gaining access to a secure office or building is often just as lucrative for a criminal as getting into a computer. Many social engineers take advantage of smoking areas or busy doorways to trick employees into letting them into unauthorized places.

The ruse goes like this: The criminal smokes a cigarette in an area where smokers who work in the building take their breaks. When the employees finish, the attacker slips in with them when they use their access badges to open the door. No one suspects the casual fellow smoker! Tripwire outlined another technique that involves a social engineer posing as a delivery person.

What can you do to combat this trick? Let employees know that even if someone looks OK, it is important to follow the rules for building access. If someone asks to be let in because he or she has a delivery — or because he or she claims to have forgotten their access badge — the employee must verify their identity first.

3. Crank Call: Phone Impersonation

One common scenario involves a social engineer who calls and claims to be IT support.

“Hello, this is the help desk,” he or she will say. “We’re noticing some strange activity to your machine. We need access.”

The helpful employee will begin to work with the technically savvy criminal to allow him or her remote access. Then, it’s all over! Once he or she gets into the machine, the social engineer has access to all the files and systems.

According to CSO, a social engineer might also call and pretend to be a fellow employee or a trusted outside authority, such as a law enforcement officer or an auditor. A social engineer might learn the corporate lingo to make the person on the other end think he or she is an insider. Another successful technique involves recording the “hold” music a company uses.

What can you do to combat this trick? Employees should be aware that phone scams are a common tactic of criminals. As with tailgating, they must be trained to verify. That doesn’t mean calling the person back at a number he or she provides — because criminals are prepared for this. It means getting off the call, calling the corporate number listed for the actual help desk and asking them to confirm someone is trying to reach them about their machine.

Related: Social Engineering: A Trick as Old as Time

4. Oversharing: Social Media Pretexting

Criminals often create fake social media profiles to collect information from people they connect with for later use. By learning more about their targets (e.g., where they work, where they live, whom they know), criminals can send convincing messages asking for money — or encouraging their victims to click on malicious links or download malware-laden documents. On LinkedIn, for example, a criminal might send fake job inquiry with bad links in the message.

What can you do to combat this trick? Employees must understand that the more they post about themselves on social media, the more information they are giving to potential hackers. This information can be used to exploit them or their employer. While sharing is the wonderful experience inherent to social media use, it also comes with risks. A user should always have their guard up during interactions with new connections, and all communications should be verified. Privacy controls should be checked regularly and secured as tightly as possible.

Social engineers will always have a new trick up their sleeves but learning about some of the most common tactics could help you — and your employees — stay one step ahead of modern criminals.

Listen to the podcast: Social Engineering 101 — How to Hack a Human

 |  |  | 
Joan Goodchild
Contributor

More from Fraud Protection
March 13, 2024

PixPirate: The Brazilian financial malware you can’t see

10 min read - Malicious software always aims to stay hidden, making itself invisible so the victims can’t detect it. The constantly mutating PixPirate malware has taken that strategy to a new extreme. PixPirate is a sophisticated financial remote access trojan (RAT) malware that heavily utilizes anti-research techniques. This malware’s infection vector is based on two malicious apps: a downloader and a droppee. Operating together, these two apps communicate with each other to execute the fraud. So far, IBM Trusteer researchers have observed this…

March 7, 2024

New Fakext malware targets Latin American banks

6 min read - This article was made possible thanks to contributions from Itzhak Chimino, Michael Gal and Liran Tiebloom. Browser extensions have become integral to our online experience. From productivity tools to entertainment add-ons, these small software modules offer customized features to suit individual preferences. Unfortunately, extensions can prove useful to malicious actors as well. Capitalizing on the favorable characteristics of an add-on, an attacker can leverage attributes like persistence, seamless installation, elevated privileges and unencrypted data exposure to distribute and operate banking…

March 5, 2024

From federation to fabric: IAM’s evolution

15 min read - In the modern day, we’ve come to expect that our various applications can share our identity information with one another. Most of our core systems federate seamlessly and bi-directionally. This means that you can quite easily register and log in to a given service with the user account from another service or even invert that process (technically possible, not always advisable). But what is the next step in our evolution towards greater interoperability between our applications, services and systems?Identity and…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2024 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature