Wednesday 5th September 2018
by Ken Walshe
Social Engineering – common techniques and how to prevent them
Social Engineering, in the context of information security (which is of course one of Trilogy’s areas of expertise) is the use of deception to manipulate people into revealing personal or confidential information for fraudulent purposes.
Social Engineering is the most successful way of getting into a company’s systems. Only about 3% of malware exploits a technical flaw. The other 97% tries to trick us. And it doesn’t matter if you use a PC or a Mac.
Phishing is a classic example. An email is written and looks so well that you click on the links and visit a website that also looks completely legitimate…..but it isn’t. About 91% of data breaches come from phishing.
Examples of Social Engineering
- The latest one. On the 16 August 18 the Irish Gardaí issued a warning about a scam that tries to get a person to buy iTunes gift cards. The victim receives an email or phone call from an organisation claiming that they are owed money and immediate payment must be made via iTunes gift cards (that should make you very suspicious in itself). The scammers then asked for the iTunes 16 digit code and happily spend it.
- The FedEx one. This did the rounds for a long time. It appeared to be an email from FedEx stating that they couldn’t deliver a parcel and asked you to click on a link (or attachment) to arrange delivery. Clicking on the link infects your computer. Sometimes the email looks like it has come from within your organisation (called email spoofing).
- The Tax back one. I know a number of people (myself included) who have received the email stating they are due a tax refund. It looks genuine as it uses the correct colours and logo for the department. This is known to be in the form of phone calls too. If it’s too good to be true, it usually is! Here’s the UK one:
- The Dropbox one. This involves a fake Dropbox password reset phishing email (there are many versions of this including iCloud password reset – which is often how hackers get access to celebrity photos). When clicked, users go to a page saying their browser is out of date with a “button” linking to the update. Clicking this launches a Trojan virus.
- The ransomware one. We all know about this. A company is hit by ransomware every 40 seconds. It’s so famous hardly a week goes by without some of our favourite TV programmes including plots involving ransomware attacks
- The Facebook message one. This is the scam about a celebrity who may (or may not – fake news) have just died. Clicking a link to see an exclusive video leads to a bogus BBC News page which tries to trick people into clicking on links that lead to scam online surveys.
- The bank one. Our banks are still warning us about this. Of course, the first hint of it being suspicious is when we get emails from banks we don’t actually have accounts with. Barclays and Lloyds are big banks in the UK, but few people have accounts with them in Ireland and the hackers use their names quite frequently.
Carbanak was the nickname given to a successful social engineering attempt in 2015 that netted over a billion dollars for the bad guys. It involved a spoofed email containing a link to malicious code that spread when clicked. The hackers were able to see and record everything to figure out how the system worked. They then conducted a series of transactions such as inflating bank account balances then diverting the surplus to their own account.
Related post: Promoting a security culture in your business
How to prevent being affected by social engineering
- Think before you click.
- Hover on the link to inspect the URL before clicking – see if it says what you expect it to say
- If it’s too good to be true, it probably is.
- Backup, backup, backup.
- Regularly test the backups.
- Train your staff.
From an organisational point of view, it is vital to create an information security culture so we recommend you have an ongoing corporate security awareness programme.