October 8, 2015
Social Engineering - The Gathering Storm
The growing threat
Currently, Social Engineering attacks by hackers aimed at companies are on the rise. The threat has been present for a long time and is not necessarily new but hackers and thieves are getting more creative with more complex and dangerous ploys. Today, over 55% of all attacks used by hackers, hacktivists and nation states are Social Engineering based.
In a recent study conducted by social-engineer.org, 90% of the people polled would provide not just the spelling of their names but their email addresses without confirming the other person’s identity. A whopping 67% of the people polled will give out social security numbers, birth dates or employee numbers. Those are some very scary statistics!
Social Engineering is a psychological attempt to get people to do something or divulge private or confidential information about themselves, places of employment, or any information that should remain confidential. The purpose is to gather information to commit fraud, system access or other nefarious acts. In its broadest sense, it is any act to influence or persuade a person to take an action that is not in their best interest.
According to Newsfactor Magazine, featuring Anthony DiBello, Director of Security at Guidance Software, “The social engineering methods that hackers use for targeting organizations are becoming far more complex. There's also more money funding those who commit cybercrimes – whether they are government backed or on the payroll of organized crime gangs. These are large groups working together to create sophisticated, targeted attacks attempting to bring down the enterprise.”
What to look out for
A large percentage of Social Engineering attacks start with emails (Phishing). At first glance the emails look genuine with Bank or Financial institutions' logos or they may email spoof (email spoofing is the creation of email messages with a forged sender address) a friend, college or business email address. But with closer scrutiny, many of these scams can be detected by simply understanding that Banks and Financial institutions will never ask for any personal information by email. If you are concerned, call your Bank or Financial institution to find out if the email is legitimate. You can also run your mouse over embedded links (without clicking the link) to see where the link is taking you; It is most likely a bogus website you can easily see.
All emails that request you to wire money or provide your money wiring information, no matter what the source, should not be responded to. These emails should be verified by calling the source if the email seems to be from people you do business with, know personally, or banks and financial institutions. If you don’t seem to recognize the source, delete the email. If it turns out to be legitimate, they will call and you can further identify who is making the request and why. Finally, make sure your company has a solid policy and approval process in place (known by all) for any wire transfers that includes validating, documenting, sourcing, vetting and final executive management approval/signoff. None of the money wiring policy or process should be handled by email.
New techniques are constantly on the rise, but one that you should especially be aware of is called "pretexting," which is when you receive a phony text message pretending to be someone else to gain information from you. Another is called "vishing" which is an attempt to gain information with phony phone calls.
- Validate and thoroughly vet out any requests for information or to wire money
- Make sure your company has a solid money wiring policy and process in place
- Educate your employees to the company’s policies and the dangers that these attacks present – Security Education!
- Remember, if your bank or financial institution needs information from you, they will call you and you should make sure it’s them. How?
- They will know your address and be able to provide you the last 4 digits of your social security number, the last 4 digits of your account number with them, or possibly your last 1 or 2 transactions with them.
- Finally if you are still not sure of their authenticity, call them back with a phone number from one of your statements, the back of your credit card, or a number that you know is their business number.
Companies should hire outside security experts to test their System Security. They can perform penetration testing to see how well your networks and servers stand up to threats, as well as by testing their employee’s security savviness with Ethical Social Engineering attacks. Knowing your companies weaknesses will help you mitigate future threats. Wiss Security Advisory Services can help your firm with your company’s security and threat preparedness. Are you prepared?
Bob Risk is Director of Technical Advisory Services at Wiss & Company. Reach him at firstname.lastname@example.org or 973.994.9400.