It’s long been acknowledged that human beings are the weakest link in any organisation’s cybersecurity. Education and training campaigns by employers, government agencies, and other professionals have raised awareness of social engineering tactics, and regularly remind users to be alert, but as with any form of cyber attack, the methods used by cyber criminals to lure their victims in are also evolving, using the latest technologies to fool people into giving up money, data, or access.
Social engineering are scams that manipulate people into revealing sensitive information to cyber criminals, or providing them with access to a system or network, to use in a cyber attack.
Social engineering scams are built on using the way the people think and act. They often use familiar technologies and combine them with emotions, to manipulate people into acting without thinking.
Social engineering tactics may also exploit people’s lack of knowledge about the value of their information, or the amount of information needed to provide a service.
One of the most prolific social engineering tactics is phishing (see below), but attackers are constantly updating their methods. Below is a list of some of the tactics on the rise in 2021.
Phishing is one of the most prolific social engineering tactics, accounting for up to 70% of all cyber attacks. It has been around a long time, and continues to be used simply because it is cheap to carry out, and still relatively successful, especially during the early days of the Covid-19 pandemic when people were concerned about money and confused about what was going on around them.
Phishing emails are emails sent by scammers who want to trick you into pressing a button, downloading a file, or clicking on a link that will enable them to download malware onto your device. The emails will often use official branding and wording to confuse victims, and often play on their emotions with lines such as “don’t miss out”, “act now”, and more.
What can you do about phishing emails?
While phishing emails are getting more sophisticated, there are still often many tell-tale signs that the email is a scam.
When you receive a suspicious looking email, look for poor spelling or grammar, content errors that don’t quite add up, excessive requests for information, nonsensical sender email addresses made up of a string of numbers and letters, hidden domain names, and shortened links.
In addition, never share sensitive information over email to someone you don’t know.
Smishing can be defined as phishing via SMS or text message. These scam messages are designed to entice users into giving up personal information, or downloading a piece of malicious software to their phone via a link or document sent in the message.
While smishing has been around for a while, smishing social engineering tactics are growing as people become accustomed to doing more and more actions on their phone, including using text messages for security verification purposes. In addition, people are just not as aware of smishing social engineering tactics as they are of phishing, so the returns are greater for scammers.
Smishing is also evolving to messaging apps such as WhatsApp. A smishing attack earlier this year spread a worm to Android phones through a link to a fake app sent from user to user in spam text messages.
What can you do about smishing attacks?
Number one is slow down. People are often quick to tap on links in text messages before they have read the message or thought about what they are doing. Slow down, think about the contents of the message, and try to verify the sender.
Some smishing attacks lead to an app, often outside an official app store. Never download an app from anywhere other than an official app store which will have some security protection.
QR codes are increasingly being used by businesses for any number of purposes including payments, account authentication, and more. The Covid-19 pandemic also increased the use of QR codes as businesses looked for touchless technologies, for example in places of paper menus in restaurants, diners can scan a QR code and download the menu to their smartphone.
As a result, malicious QR codes have become social engineering tactics as scammers send QR codes within phishing emails and smishing texts in place of links to redirect users to their malicious downloads or sites. Malicious QR codes are also used in clickjacking schemes, where QR codes are placed in public places offering more information for visitors, but in reality the QR code leads to a malicious site.
Avoid getting caught out by a malicious QR code:
As with phishing or smishing, don’t scan a QR code within an email if you don’t know and trust the sender. If you see a physical QR code sticker, check that it is the original QR code, and not a sticker that has been stuck on top. Use a QR scanner that checks or displays the link before it follows it.
Deepfake videos are faked videos or audio recordings that look and sound totally genuine. The name deepfake comes from the use of deep learning artificial intelligence to create videos that are so realistic most viewers will never notice that it is a fake. One of the most famous examples of a deepfake video is a public service announcement by Barack Obama.
Deepfake videos are being used in social engineering scams whereby a ‘trusted figure’ is used to trick people into providing or transferring money to malicious actors, including most famously a deepfake audio clip that convinced a company CEO to transfer money to his parent organisation.
What can you do about malicious deepfake videos?
Cybersecurity training and knowledge is one of the best ways to combat deepfake videos.
Knowledge of good cybersecurity practices will help you ask the relevant questions to assess the situation. For example: Does what you are hearing and seeing make sense? Is it the usual way things work, or does it look unusual? Can you verify the instructions with another source before following them?
Another oldie but a goodie, browser push notifications or popups asking for approval before performing an action have been around for a long, long time.
However they are still being used as social engineering tactics by scammers because they are effective when people skip reading the notification and simply click yes to get to their destination. Once the user clicks the approve button, the notification will divert them to their malicious site, spam them with phishing emails, or download malware through the link.
What can you do about browser push notifications?
This is one form of social engineering that can be avoided through a technical solution. Effective, up to date network security including an antivirus package and browser protection should be able to block many of the push notifications in the first place, or block the malicious site or download if a user does click yes.
In addition training to remind users to slow down and check what the push notification is asking for will also reduce the success of these scams.
A new form of social engineering uncovered by Google is targeting the security research community, potentially with the aim of getting insights from the actual people working on vulnerability research and development at different companies. This targeted form of social engineering uses a fake research blog claiming to have successfully identified several exploits, and multiple Twitter profiles to attract their target audience.
After establishing initial communications they then ask the researcher to collaborate on vulnerability research. If the researcher agrees, the attackers send malware through a Visual Studio Project and accompanying DLL.
The research blog itself also contains malicious links within articles.
This targeted form of social engineering is new, but could impact on any group of professionals with any form of target in future.
Avoid getting caught out in a user forum
The case study from Google demonstrates that even people in the field can be caught out. However once again training and knowledge are your friend.
Never provide professional or company information in an open forum. If you do decide to collaborate with another person, verify their identity before accepting any downloads from them or sending them any personal or corporate information. In the Google example above, the suspects are from North Korea, so a simple phone call could help verify their authenticity.
Wherever there are humans with money, information, or access to provide, there are social engineering tactics. The enduring nature of phishing emails, and the evolution of social engineering using new technologies demonstrates just how profitable these scams are for the scammers.
While technological solutions can be used to mitigate against some of these methods, at the end of the day, the greatest tool against social engineering is training and education. Supporting people to recognise the signs and avoid falling into the traps, is the best way to prevent the exposure of networks and organisations to scammers.
Stay safe