7 Social Engineering Attacks on Small Business
Social Engineering is when a cyber criminal attacks an organization by exploiting the people within it. Unlike the picture painted in movies and television of a hacker well versed in gaining access to a system through complex coding, social engineering leverages human psychology to gain access to their target.
A social engineer might not even know how to code, but if they know how to play the people with an organization that can gain access easier and faster than a brute force attack. With a good personality, a social engineer can talk themselves into any office…whether they say they’re there for a meeting, a sales call, maintenance, or some other gimmick that is easily believable.
Social Engineering Small and Medium Sized Businesses
Small business owners are often surprised to hear they are targeted by cyber criminals through social engineering, but there’s a reason that a majority of SMBs are seeing an increase in attacks in 2018. One big reason is that they do not invest heavily into cyber security, unlike most big businesses which makes it much easier to attack the SMB. Sometimes the SMB isn’t even the target, and social engineers aren’t interested in the small businesses information, but rather leveraging the SMB victim to gain access to bigger customers. They essentially use the SMB as a trojan horse to access their bigger customers. Finally, new attacks and leveraging social engineering makes it cheaper to attack a small business so cyber criminals can automate thousands of attacks at a time, without a particular target. They know that if a small percentage of those thousands targeted actually pay, it’s worth the effort.
7 Social Engineer Attacks
1. Phishing
The most common and hottest topic in social engineering is phishing. Phishing is a technique in which cyber criminals attempt to steal information like usernames, passwords, financial information, customer information, or other important information by acting a trustworthy source.
Phishing used to be thought of as easy to recognize like the Nigerian Prince with riches to share if you just respond to their email. Unfortunately, phishing emails have become much more sophisticated as they now look like sites you use everyday such as Amazon, Best Buy, or your bank. If you’re looking for examples of phishing emails, we published 6 Examples of Phishing and How to Identify Them, and posted a SlideShare so you can easily share with employees to raise awareness.
This brings us to a social engineering technique that’s even more targeted than a phishing attack called spear phishing.
2. Spear Phishing
Spear Phishing is similar to phishing, but unlike phishing that is typically a general design emailed to hundreds or thousands of people, hoping that a few execute, spear phishing is a hyper targeted attack.
Spear Phishing has a higher success rate than phishing because it is hyper targeted. They may talk about family members, a recent business trip, details of a financial transaction or some other targeted language that allows the recipient to trust the sender without thinking additional verification is required.
While spear phishing is a more lucrative social engineering attack, it’s also more costly. Cyber criminals have to find the information through research — that might be information found online, found from another successful attack, or even found from oversharing on social media. That’s why spear phishing is often saved for high profile targets like business and government leaders.
There was a recent attack in which cyber criminals claimed to have gained access to your computer and recorded their victims watching pornography from their webcam. What made this particularly successful was that they started the email with the recipients username and actual password to scare them into believing the sender was serious. This wide spread spear phishing campaign was possible by scraping usernames and passwords from a previous breach, which made it cheap to spear phish in the thousands — a particularly scare new risk. Learn more in this article Mass Spear Phishing: Cutting the Cost of Spear Phishing to Hyper Target Everyone.
3. Phone/Vishing
How easy is it for a social engineer to gain access to your information? I love this video showing how a hacker can hack you/your business using just a phone.
4. Spoofing
Spoofing is another highly targeted social engineering technique — it might refer to Caller ID, but most often it refers to email spoofing. Spoofing is a malicious act in which a cyber criminal communicates with their victim by impersonating a trusted source.
Spoofing is another way to increase trust with the victim, much like cyber criminals aim to do in spear phishing by making their email look like it’s coming from the trusted source. The spoofed email may request bank account information, sensitive documents, or a wire transfer. Wire fraud by spoofing is a fast growing trend — cyber criminals are attacking home buyers by impersonating a real estate agent, lender, or title insurance company, and asking them to route their wire transfer to the cyber criminals bank account.
5. Pretexting
Pretexting is a social engineering tactic in which attackers set up a pretext, or a fabricated story, to build a personal connection with the target and steal their personal information. Social Engineering an Executive, an Employee, and a Grandma details three pretexting scenarios targeting three very different targets.
Pretexting often preys on the elder that may not be as tech savvy or quick to recognize a potential scam. In one common scenario the criminal calls a grandparent stating that it’s their grandkids friends, and their grandkid is in the hospital. They tell them that the grandkid cannot talk on the phone, and ask that the grandmother/grandfather wire money to cover the necessary and urgent procedure.
This is a cold hearted social engineering attack, and we’ve had family, friends, and clients all targeted in this way in recent history. All of the stories in the linked article are true, personal stories that we’ve seen.
6. Tailgating and Piggybacking
Tailgating and piggybacking refer to an approach to gaining access into a secure building through someone else’s access. It’s quite common — sometime it’s malicious and sometimes it’s not. Think about the last time you walked into an office building and there was someone behind you — did you hold the door for them and let them in without scanning their badge? That’s tailgating.
This is social engineering at it’s best. Cyber criminals know that by nature most people want to hold the door for someone close behind, so it’s easy to access a secure building with just a smile and tailgating behind someone with access.
Think you won’t fall for that? What if it’s someone dressed in brown UPS gear carrying a heavy package…would you hold the door for them then? Most would.
7. Quid Pro Quo
Quid Pro Quo is a social engineering attack that offers something in exchange for something. An example might be have a pop up tell your unsuspecting grandfather that their computer has a virus, and for just $50 the IT person in the chat box can help. In another common quid pro quo attack someone might call their victim claiming they are from Microsoft IT, and ask them to check if somethings installed on the computer. When it is, the attacker provides them instructions to ‘remove it,’ when in reality they are stealing credentials or payment information.
How to Prevent Social Engineering in an SMB
There is one commonality in these social engineering attacks — people. Unfortunately there’s no sure fire technology that can prevent a human from answering the phone and being duped into sharing their password, or to stop them from opening a well disguised phishing email. The only way to reduce this risk of successful social engineering attacks is by raising awareness of employees and your management team.
In my experience, raising awareness has two high impact outcomes.
- Pre-attack prevention — Teaching employees best practices to prevent a successful social engineering attack. For example, things as simple as locking your computer when you walk away, adding a passcode to access your phone, and not writing passwords down on sticky notes around your desk. By teaching employees not to do those things they remove some of the low hanging fruit for attackers.
- Prevention at the point of attack — Teaching employees how to identify and respond to red flags and threats reduces the risk of successful social engineering attacks. If an employee doesn’t know that IT will never ask for a password, it’s more likely that they’ll provide it when an attacker calls to request their information. Raise awareness of these threats with employees ensures they understand company policies and don’t hand over their password. Similarly, letting them know that phishing is a real threat to the organization and how to identify a phishing email helps to minimize the risks.
Cyber criminals understand human behavior and how to manipulate them into performing in a way that suits the cyber criminals malicious intentions. Social engineers are experts in disguise and manipulation. Our goal is to make employees experts in identifying and mitigating social engineering attacks.
About Us
Wuvavi provides the world’s only cyber awareness platform developed for small and medium sized businesses. Wuvavi allows SMBs to deploy enterprise grade awareness training and simulated phishing campaigns to their employees, track progress, and receive completion certifications. Learn more and sign up for a free trial.
Originally published at wuvavi.com on September 5, 2018.
