Social Engineering and Phishing

The Prince of Azerbaijan needs your help! His bank accounts have been frozen and he needs a loan. Just a small loan, a couple thousand dollars. He will totally pay you back. He promises. And he’ll pay you back with interest! Pretty sweet deal, right?

Fraudulent attacks like this are a tactic that falls under the umbrella of Social Engineering. Phishing, Spear Phishing, Vishing, and Baiting are all tactics used by hackers and scammers to gain access or information from companies and end users alike in order to steal funds or confidential information like social security numbers and bank accounts/routing numbers.

There’s a really good chance you’ve received an email like that, or someone you know has. It seems ludicrous, but this kind of wide-net casting phishing emails fool plenty of people. But this sort of phishing tactic is falling out of favor with scammers. Email filters are now more likely to catch spam like this than in the past.

Phishing, however, has evolved into Spear Phishing. As the name implies, this tactic is far more targeted. Instead of a wide net, scammers pick a few targets from a company and personalize emails to those people. They will pose as coworkers or friends and attempt to get secure information like login credentials or account information and enter a business’s secure network to grab any and all information they can access.

The best way for any person or company to protect themselves from a scam is education and awareness. Be aware of your online presence and the information you are sharing via social media, and with whom you are sharing.

Spear Phishers use your online presence against you. It is really easy to do. Think about how much information you’ve posted to social media. And, if you’re a businessperson there is a great chance you have a LinkedIn account. That account most likely includes your name, current company, current position, photos, connections to coworkers and vendors. And if someone is connected to you they can view contact information that you provide—bare minimum is the email address that you use to sign into LinkedIn. However, a thoughtful Spear Phisher would only need your name and current organization to guess your work email address. Most companies follow the same handful of formats for email accounts, so a scammer sends three or four emails at different variations of your name @ your company and hopes that one of them is a hit.

From there the Phisher will use the information they’ve gathered from social media to craft an email specific to you, greet you by name, mention specifics—a vacation you took recently, a sporting event, a work function and they’ll attempt to maintain a conversation as they pose as a friend or coworker with some excuse as to why you don’t recognize their email address. Then they’ll dig for information after you’re more comfortable with them. And then boom, they’ve got access to a secure network and can dig for information with more financial implications.

Or, a Spear Phisher will pose as a vendor and attach a document to an email (most often a Word document) that is titled something like “Invoice” or “Bill” and is laden with malware that gives them remote access to your workstation and depending on your level of access they can have free reign on the system.

According to Symantec’s Internet Security Threat Report for 2015, Spear Phishers targeted the Financial, Insurance, and Real Estate industries more than any other industry. This makes sense considering that hackers could Spear Phish an individual that had access to account information and ATM’s and could then remotely retrieve funds. The Services industry was highly targeted as well. Phishers will attempt to procure information from a Managed IT Help Desk by posing as a client and requesting credentials via email. Fortunately, that is one of the least likely industries for that kind of fraud to work, but it happens.

Besides fraudulent emails, Social Engineers will use less technological means of fraud to steal information. Known as Vishing, phishing over the phone is a method used to procure credentials from customer services reps. With a little bit of information about an individual and a lot of confidence an attacker can milk important info out of a customer service representative. There are also in-person means of Social Engineering. Tailgating is a method used to gain physical access to a secure area where employees use keycards. It’s simple. The scammer, confident, looking like they belong and possibly wearing fake badges or keycards will follow behind employees when they go through secure doors. If they make it into an area they can access workstations or servers and install malware or use stolen login credentials to access anything and everything they can. Along those lines, Baiting involves leaving a disc or USB drive in an area where it may be picked up by a curious employee who will then plug it into their computer. Of course, there won’t be anything fun or useful on the disc/drive, but there will be malware capable of giving remote access to the baiter. These tactics aren’t nearly as common as Phishing or Spear Phishing because they’re more time intensive and difficult.

The best way for any person or company to protect themselves from a scam is education and awareness. Be aware of your online presence and the information you are sharing via social media, and with whom you are sharing. For instance, who can see your Facebook account? Personally, I keep my account unavailable to anyone that I’m not “Friends” with. If someone searches for me they will see my name and profile picture—that’s it. If that is not how your account is set up, then you may want to review your security settings. LinkedIn is a bit different though, and a little tricky. It’s about creating business connections, meaning people that may not know you/you may not know can visit your page and see the information you have listed—including posts you’ve shared and your interests. Just be conscious of what you post and who you connect with. Always review the profile of any unknown individuals that connect with you. Many Social Engineers will create fake accounts on social media in order to legitimize their presence, and many times fake social media accounts are easy to spot. There will be a bare minimum of information provided, odd/unprofessional email addresses, and/or poor quality profile pictures.

Be less social.

Aside from being a hermit, there is no way to completely avoid the potential of a Spear Phishing attack or any other Social Engineering. No one is safe. According to the Symantec report, 43% of Spear Phishing attacks were perpetrated against small businesses (250 or fewer employees). That is up from 18% in 2011. This may be because large enterprises are more likely to have a high levels of security measures and training in place now compared to SMB’s. A lot of SMB’s may not have the time or resources to properly secure and train their business.

There are a few simple and easy guidelines everyone can/should follow when it comes to email security and Social Engineering. Always look at the email sender. If you receive a suspicious email, verify if it is from a trusted source. If an email includes a link to a website or file, hover over the link and make sure it isn’t going to send you somewhere you don’t want to go. Hyperlinks can be created that look legitimate but actually link to somewhere else entirely. For example, hover over this link: https://www.google.com/. Also, only download attachments from sources you know and trust. Social Engineers like to use Word files in their Spear Phishing. Last year 40% of Spear Phishing email attachments with malicious intent were .doc files. And don’t relay credentials via email. If a “friend” or “coworker” is asking for a username/password, call them and verify their request.

Be less social. Make sure your social media presence doesn’t give away any critical information that could be used to access your account. Don’t befriend bots, restrict viewing access to your accounts to only those you are friends with. Definitely don’t divulge company information. And always be prepared. Atomic Data can provide your business with customized solutions to fit your needs. The Atomic Mail Filter can keep unwanted emails from reaching your inbox. Crashplan and Blackbox backups will keep your workstations and servers backed up in case the worst does happen and we can help create a Disaster Recovery playbook in the event that you need to wipe the slate clean and restore your data to point in time before it was compromised. But, most importantly, don’t give out your passwords!