Social Engineering

It's 4:30 PM. You’re finishing up work and are almost ready to wrap up the day when the familiar sound of your email inbox chimes. The email, from what appears to be your company’s Human Resources (HR), has “Urgent” in the subject line. As you continue to do a quick skim, the sentence “Please update your personal information today to make sure your health insurance stays active,” jumps out at you. The immediate emotional response to the fear of losing health insurance has you, without hesitation, clicking on the link to update the information right away. The link takes you to a login page for what looks like the usual employee portal where you enter your credentials. You click the “login” button and are taken to a blank screen with a “loading” wheel that spins and spins…. After refreshing the page a few times, the wheel still doesn’t take you to your profile. You shrug. Maybe the server is down for a bit. You close the tab and plan to try again tomorrow. When trying again the next morning, you notice the “From” email address does not contain your company’s correct domain and the email has a few typos.

This is a social engineering attack and you unknowingly and innocently gave a hacker access to your company login information, a way into the corporate computer system, as well as several hours within the system before anyone became aware to perform mitigation tactics. 

Social engineering is a psychological manipulation which takes advantage of human error and vulnerabilities to gain sensitive information or provoke an action in favor of a threat actor, including downloading malicious software, visiting unsafe websites, or sending money to criminals. Threat actors can use this information to gain access to private accounts, corporate systems, proprietary information, or to further exploit vulnerabilities of an individual. Social engineering attacks are typically targeted, indicating the threat actors have done some research on their victim. According to a study reported by Purplesec, 98% of all cyberattacks involve some type of social engineering. Additionally, according to two studies from Barracuda Networks, small businesses of less than 100 employees experience 350% more social engineering attacks than employees of larger enterprises, and the average organization is targeted by over 700 social engineering attacks annually. In 2020, these social engineering attacks cost companies an average of $130,000 with damages climbing into the millions of dollars, according to the FBI.

 The life cycle of a social engineering attack typically follows four steps:

1. Investigation: The threat actor conducts research on their victim, whether an individual or business, to include interests, hobbies, frequented locations, information on the businesses' IT system, and information on the company’s hierarchy and access programs. Based on what information is available publicly, the threat actor will decide who and what to target. For example, a threat actor could find that the executive assistant to the CEO posts publicly available information and likely has access to information within the company system of interest to the threat actor.

2. Hook: The threat actor engages with their target and utilizes manipulation based on their research to establish a relationship. The threat actor utilizes an attack vector to gain access to information (such as Phishing, Baiting, Tailgating, Pretexting, Quid Pro Quo, Scareware, or the Watering Hole Attack). In our example, a threat actor could send a social media message to the CEO’s executive assistant and start a conversation based on a common interest. 

3. Play: The threat actor utilizes the rapport built with their target to gain sensitive information or access. For example, the threat actor sends an infected attachment via email to the executive assistant and the executive assistant opens it because they think they know and can trust the sender based on their social media conversations.

4. Exit: Once the threat actor has achieved their goals, they begin to retreat and cover the “tracks” of their attack, including erasing digital footprints. With our example, the threat actor now has access into the computer system of the company and will likely cut off communication with the assistant, but with good reason so that the assistant does not suspect they were the victim of a social engineering attack. 

Since these attacks are typically targeted, there are a variety of different hooks and measures a threat actor can utilize to fulfill their goals. For example, while one person may fall for an email phishing scam, another may be caught off guard during a busy after-school schedule of getting kids from one activity to another and provide information to someone impersonating a vendor, such as a phone company. At Du-Zel, our goal is to keep our clients from becoming targets of a social engineering attack by stopping a threat actor in the ‘investigation’ stage. Here are a few general preventative measures: 

• Keep your social media accounts private so that others can’t passively gain personal information and use it to customize an attack specifically for you. 

• Do not trust or call numbers from pop-up messages, text messages, or emails. Instead, find a customer service number from the company’s actual website if a phone call is necessary.

• If you receive a request from someone within your organization that seems new or out of the blue, make sure to check the email address of the sender and ensure it matches the domain used for your organization. 

• Run routine malware scans on your devices to make sure they are free of malware and other harmful software. 

• Use a unique and complex password for every account. You can store these passwords in a password keeper.

• If you believe an account has been compromised, change the password immediately. If the account is or has ever been linked to your bank or other monetary accounts, check your financial statements. Inform those companies, and ask them to help you look out for unusual activity.

• When it comes to websites, go to the login page or URL from that specific website, don’t login from a link in an email address.

If you have any questions regarding social engineering or would like to better understand how to make yourself a hard target, please send us a message.