You receive an email from the boss telling you to transfer a large sum of money. Before you hit “send” on that transfer, you had better do a double take before your company falls victim to the latest cybercriminal scam: social engineering. In 2015, the largest CEO fraud scheme in years cost Ubiquiti Networks, Inc. a whopping $46 million — all wired to overseas accounts — of which they have only recouped $8 million.
The story unfolded as follows: the finance department received a fraudulent email that appeared to be from the boss requesting a wire transfer of money to the company’s Hong Kong office. If scrutinized, the original message would likely reveal a domain similar but not identical to that of the boss’s address, appearing authentic to a reader who was used to making such transactions.
While we commonly think of computer fraud schemes in terms of malicious code that takes advantage of network systems and computers, social engineering attackers infiltrate by exploiting the human element inherent in those same systems and computers.
According to Kaspersky, “social engineering is a form of techniques employed by cybercriminals designed to lure unsuspecting users into sending them their confidential data, infecting their computers with malware or opening links to infected sites.”
The following are some of the most common types of social engineering attacks in use today.
“Phishing Emails”
“Phishing emails” are the classic type of social engineering that takes place between the attacker and the victim. In these cases, the opener trusts the email’s source and, by opening it, introduces malicious code onto their computer or server. “Shoulder surfing” is another simple approach that does not involve communication between the attacker and the victim. In this approach, the hacker gathers usernames and passwords simply by looking over the shoulder of the victim, often while they are using the Wi-Fi at their local Starbucks or some other public venue where users are likely to log on to work accounts.
“Sniffing, Snooping and a Honeypot”
Another way that hackers take advantage of free Wi-Fi service is “sniffing and snooping.” If a Wi-Fi adaptor is set to “monitor” rather than “managed” mode, it can intercept the data being transmitted across the network. Hackers can easily create rogue Wi-Fi hotspots to capture your unencrypted data and redirect it to a fake website, similar to the way phishing emails attack work accounts. Some information technology (IT) administrators call this scenario a “honeypot” because it attracts unsuspecting victims with the offer of the free wireless service, exposing their data to hackers. A safer practice is to visit only websites with the HTTPS URL extension when connected to an unfamiliar or public wireless network. These websites encrypt data packets so they cannot be intercepted by cybercriminals.
“Watering Hole”
The term “watering hole” describes a state-sponsored attack via a public website that attracts specific individuals. Upon visiting, these individuals’ computers are injected with malicious code. This targeted attack happens quickly, opening the door to zero-day exploits from which the victim cannot defend or easily recover.
“Whaling Attacks”
A “whaling attack,” as its name implies, targets the bigger fish among private enterprises and government agencies. Similar to phishing, a malicious email appears to be a legitimate critical business request, but instead attempts to steal confidential information such as personal data and network credentials.
“Baiting”
“Baiting,” similar to phishing, involves an enticement in exchange for personal data or login information. For example, an email might offer a download of exclusive tickets or report to your computer, but instead delivers malware or other malicious code.
“Quid Quo Pro”
“Quid Quo Pro” involves an external request for information, seemingly from a trusted source, that compromises your network or computer. This may originate from someone mimicking your company’s IT services professional or an outside help desk who requests your password to fix a fake problem with the network.
“Tailgating” or “Piggybacking”
“Tailgating” or “piggybacking,” as the name implies, is the act of physically following an employee into a restricted area to gain access to a network or servers. Another form of piggybacking is borrowing someone’s laptop with the intent of installing malicious software.
While you might think you can’t be fooled, a recent survey found that 60 percent of business leaders had fallen for social engineering tactics similar to these fraudulent computer security strategies. The only way to avoid one of these schemes is to be aware of them, educate your staff and scrutinize emails for signs of a possible social engineering attacks.
What measures can a small- to medium-business take to understand its vulnerabilities and protect mission-critical data? Smart businesses employ comprehensive vulnerability assessments performed by cybersecurity experts. If you are interested in taking these first steps securing your business, Valeo Networks will set you on right path with a free network scan. Contact us today to schedule your complimentary assessment.
Sign up for our newsletter below to keep up to date with cybersecurity issues like this.
Sources:
https://krebsonsecurity.com/2015/08/tech-firm-ubiquiti-suffers-46m-cyberheist/
https://www.webroot.com/us/en/resources/tips-articles/what-is-social-engineering
https://usa.kaspersky.com/resource-center/definitions/what-is-social-engineering
https://resources.infosecinstitute.com/common-social-engineering-attacks/#gref
https://www.datto.com/uk/blog/5-types-of-social-engineering-attacks
https://www.agari.com/social-engineering/
https://www.androidauthority.com/capture-data-open-wi-fi-726356/
.png?width=400&height=171&name=Valeo-Logo-White%20(1).png "Valeo-Logo-White (1)"){kind=logo}
