“BEWARE OF THE WOLF IN SHEEP’S CLOTHING”…Further Exploration Into Social Engineering…by dStringer

Oh my goodness...!

Not too long ago, I wrote a "Social Engineering" blog that I thought was pretty detailed.  It discussed different types of "Social Engineering" in depth; warning signs and what steps to take if you feel you've been victimized.

It truly is the Wild West out there.  The Cyber Criminals are clever, and move faster than the law, constantly coming up with more and more creative means with which to achieve what they want.

So, consider this "Social Engineering"...Part II.  Mine, and Alcala Consulting's attempt to educate and inform with regard to the ever present battle between us and the Cyber Criminal.  Truth is, a "Social Engineering" attack can be most devastating to a business.  Awareness many times, can be the most effective tool in your arsenal against Cyber Criminal activity.

In my continuous research, I have discovered the top 5 types of Social Engineering attacks that could be most harmful to your business if you and your employees are not aware...

1. Baiting  

   Baiting involves dangling something you want to entice you to take an action the criminal desires.  It can be in the form of a music or movie download on a peer-to-peer site, or it can be a USB flash drive with a company logo labeled “Executive Salary Summary Q1 2013” left out in the open for you to find.   Then, once the device is used or downloaded, the person or company’s computer is infected with malicious software allowing the criminal to advance into your system.

2. Phishing   

   Phishing involves false emails, chats, or websites designed to impersonate real systems with the goal of capturing sensitive data.  A message might come from a bank or other well known institution with the need to “verify” your login information.  It will usually be a mocked-up login page with all the right logos to look legitimate.  It could also be a message claiming you are the “winner” of some prize or lottery coupled with a request to hand over your bank information, or even a charity plea after a big natural disaster with instructions to wire information to the “charity/criminal”.

3. Pretexting  

   Pretexting is the human equivalent of phishing, where someone impersonates an authority figure or someone your trust to gain access to your login information.   It can take form as fake IT support needing to do maintenance, or a false investigator performing a company audit.  Someone might impersonate co-workers, the police, tax authorities or other seemingly legitimate people in order to gain access to your computer and information.

4. Quid Pro Quo    

   Quid Pro Quo is a request for your information in exchange for some compensation.   It could be a free T-shirt or access to an online game or service in exchange for your login credentials, or a researcher asking for your password as part of an experiment in exchange for $100.  If it sounds too good to be true, it probably is quid pro quo.

5. Tailgating     

   Tailgating is when someone follows you into a restricted area or system.  Traditionally, this is when someone asks you to hold the door open behind you because they forgot their company RFID card.  But this could also take form as someone asking to borrow your phone or laptop to perform a simple action when they are actually installing some malicious software.

How do you avoid being a victim?

• Be suspicious of unsolicited phone calls, visits, or email messages from individuals asking about employees or other internal information. If an unknown individual claims to be from a legitimate organization, try to verify his or her identity directly with the company.
• Do not provide personal information or information about your organization, including its structure or networks, unless you are certain of a person's authority to have the information.
• Do not reveal personal or financial information in email, and do not respond to email solicitations for this information. This includes following links sent in email.
• Don't send sensitive information over the Internet before checking a website's security.
• Pay attention to the URL of a website. Malicious websites may look identical to a legitimate site, but the URL may use a variation in spelling or a different domain (e.g., .com vs. .net).
• If you are unsure whether an email request is legitimate, try to verify it by contacting the company directly. Do not use contact information provided on a website connected to the request; instead, check previous statements for contact information.
• Install and maintain anti-virus software, firewalls, and email filters to reduce some of this traffic
• Take advantage of any anti-phishing features offered by your email client and web browser.

What do you do if you think you are a victim?

• If you believe you might have revealed sensitive information about your organization, report it to the appropriate people within the organization, including network administrators. They can be alert for any suspicious or unusual activity.
• If you believe your financial accounts may be compromised, contact your financial institution immediately and close any accounts that may have been compromised. Watch for any unexplained charges to your account.
• Immediately change any passwords you might have revealed. If you used the same password for multiple resources, make sure to change it for each account, and do not use that password in the future.
• Watch for other signs of identity theft.
• Consider reporting the attack to the police, and file a report with the Federal Trade Commission (https://www.ftc.gov/).

The human element gets in our way at times, allowing us false security in thinking that "it will never happen to us."  But sometimes the con artists are clever enough to fool the most cautious of people.  Understanding the types of social engineering attacks is the first step towards preventing them.  A good rule of thumb is to always have a good on-premise or cloud backup in place.  If something does happen to your information and data, you’ll be glad you have a copy.

We welcome you to contact us with further questions on this subject. Don't allow your business to be a sitting duck.  Gather as much information as you can and share it with your staff.  And remember, Alcala Consulting offerS free consultations and are here for you, 24/7.