5 Social Engineering Techniques your staff need to know about
We see it on the news all the time – an elderly couple fell for some phone scam and gave the fraudster bank details, before being robbed of all their savings. This may seem like an issue exclusive to vulnerable groups – and that’s exactly what these fraudsters would want you to think. After all, the more ignorant the public are to this growing issue, the more likely they are to succeed. However, these ‘social engineering’ attacks are becoming more common than ever.
So, what is Social Engineering?
Social engineering is a term used to describe when hackers try to exploit human vulnerabilities in order to achieve their goal – which is more often than not to rob you of either your money, or your identity. They may do this by tricking people into disclosing sensitive information, or in the case of experienced fraudsters, they might just fool you into sending the money or data directly to them.
In a study by Symantec, they found that 97% of malware focused on exploiting users via social engineering, with a mere 3% trying to penetrate technical vulnerabilities.
So, while you may think that the ability to be compromised relies on the technology itself, this may be partially true. But the last and most important line of defence is the user – YOU.
In order to prevent these hackers taking advantage of your lack of knowledge, it is vital to stay informed.
Here are the most common methods of Social Engineering techniques that you need to keep an eye out for.
CEO fraud is a technique which is becoming increasingly common. This involves fraudsters impersonating someone in power, such as a CEO, in order to fool employees into making fraudulent payments. It is common that finance departments are particularly targeted, although it is not exclusive to them. CEO fraud can be carried out via various mediums, but the most common is by email.
The average amount acquired via CEO fraud is £35,000, with the largest amount being £18.5m transferred from a Scottish branch of an international firm.Action Fraud
Vishing is a type of scamming which involves using internet phone services (VoIP) in order to contact victims. Sometimes scammers will also fake a Caller ID in order to fool victims into thinking they are calling from a known source, such as their bank. Most of us have heard of a story involving ‘Vishing’, and it usually surfaces because it has a tragic ending whereby the victim has lost a lot of money (an example can be seen here.)
Phishing is a classic and the most common technique, which most people have been affected by, knowingly or not. Phishing tends to be widespread, whereby the criminal will send out an email which will peak the victims interest. This could be something as trivial as a shopping deal, or an email impersonating a household brand name, such as Amazon. In many cases there will be a link to a malicious site, which will then feature a form whereby victims are prompted to enter sensitive information. In some cases, scammers will use fake threats in order to gain a victims attention.
In a study conducted by KnowBe4, it was found that emails with the subject ‘Password Check Required Immediately’ was most clicked on, with 43% of users falling for this trap.
Although there are patterns in the tendencies of phishing emails, there is no exact template which they go by. Phishing is a broad term, which is why it is important for users to have an all round knowledge of what it entails.
Spear Phishing is a form of Phishing, however this technique differs in the sense that it is far more precise. Spear Phishing is very targeted, and uses personal information in its attacks. This technique is planned, and carried out after extensive research of the victim and their business connections. Like other social engineering techniques, it is carried out with the goal of a secondary action, such as transferring money or disclosing information.
Whaling, like Spear Phishing, is specific to the target. The difference between Whaling and Spear Phishing however, is that Whaling specifically goes after the ‘big fish’. This means CEO’s, Directors, and those in power. Due to the senior position of the target, Whaling uses sophisticated language, often business jargon, in order to sound more legitimate.
Examples of whaling emails can be found here.
Worried about your Cyber Security?
Keeping up with the fast paced world of Cyber Threats is almost impossible for most businesses. This is why at m3 Networks, we provide a Cyber Security Risk Assessment service. This thorough check-up can show you the vulnerabilities that you can’t see – but Cyber Criminals can, and will use to exploit you at some point.
To arrange a Cyber Security Risk Assessment for your business, simply contact us today.