The various types of cyber attacks. Social Engineering and various phishing techniques
The following article is the second of a series of articles on cyber attacks and the first of a series of three articles on social engineering techniques, and focuses on phishing scams.
How many times have we heard of hacks resulting from social engineering techniques?
Sadly, way too many times social engineering has in fact become one of the most used techniques to persuade users into sharing personal and sensitive information, clicking on malicious links and downloading malware to devices.
The practice of manipulating someone into divulging sensitive information or into trusting someone enough to lose money on a variety of scams has been around for years but the techniques have grown in sophistication and adapted to the internet age. Sixty years ago you could have been targeted in person or via the phone by a scammer, nowadays you are more likely to fall victim to a scam by email or via the web.
Social engineering practices are used mostly because it’s easier to exploit someone than gaining access to their device, passwords and other information by other means which is why it is so important to be able to recognise social engineering attempts, in order to protect both ourselves and the organisations we work for.
Let’s have a look at the most used techniques, how you can spot them and how to protect yourself:
Probably the most known and used social engineering technique, phishing is the term used to identify the attempt to obtain information by email.
Phishing emails usually aim to obtain data such as credentials or financial details. Clicking on a link in an email will take the victim to a website where they will be asked to enter confidential details which are then harvested by the cybercriminal to be used to gain access to online accounts or to be sold.
Opening an attachment in a phishing email may lead the victim to download malware that could have serious consequences for them or their business.
Phishing attacks are often performed in a “random” way, meaning that the phishing emails will be sent to a large number of email addresses and are not targeted at particular individuals. They are characterised by the type of messages, often including an imperative such as “to continue to use your account please login here…” or involving fantastic, not to be missed deals on goods or services. They are often well crafted using logos and branding from well-known banks, government agencies or online retailers fooling the unwary into believing that they are genuine. Whatever the message, they are designed to scare the victim into action or exploit that worst of human characteristics – our inquisitiveness.
There are many types of phishing scams which can be more sophisticated and targeted at individuals or specific organisations such as:
- Spear Phishing
As with phishing attempts, a spear phishing attack will appear to be from a trustworthy individual or organisation but in this case it will target a specific victim or organisation, and the email will be modified to look like it was meant for the recipient.
Spear phishing emails usually come from an entity the victim is familiar with and they will contain personal information such as the target name, so that they can look more legitimate. Attackers using spear phishing emails often do research on their victims to increase their chances of success. For this reason it is always advisable to share as little as possible on public websites and social media, as they are the first source of information for hackers.
How can you protect your business?
Whenever someone emails you asking to take urgent action or to share sensitive information, it is worth taking a moment to double check the provenience of the email. Calling the person or organisation is a good way to check the email is genuine.
In addition, you should NEVER share passwords or sensitive personal data, and if you must do so, NEVER via email. Always do that on the phone, if you have initiated the call, or in person.
When receiving an email containing a link, is advisable you don’t click on it, even if you’re sure about the sender. Go on the website directly from your browser and take the requested action from there.
Whaling can be defined as a spear phishing technique that only targets powerful and high profiled individuals in order to steal sensitive information. As with other phishing scams, whaling scams usually involve a legitimate-looking web page and an email. They will be designed to make the victim think they have been sent by someone the victim usually talks to and will look critical and urgent.
A whaling email may carry a link to a website the victim is used to visiting and request login details, once the victim clicks on the link, they will be redirected to the apparently familiar login page for the website. But beware, the webpage may well be a fake look alike one, specifically designed to make the user reveal their credentials.
So what happens next?
The user tries to enter the logins for the website but the first attempt fails, so they try again and then it works. Can you tell what just happened?
The scammer had created a fake web page to steal information, once the information has been entered the page gives a “failed login” message making the user think they entered the wrong password – it happens, doesn’t it? Once the user tries to reload to enter the login again, the fake page will redirect to the original legitimate one, so the user won’t suspect anything and the scammer will walk away with login details and access to the user’s account.
How can you protect your business from whaling scams?
The first layer of protection comes from awareness, be aware of the fact that anyone could be a target and know what to look out for. Always make sure you check the URL of links sent by email, and if unsure about the legitimacy, go to the website from your browser without clicking on the link on the email, this way you’ll know you are on the real, safe website.
Vishing, also known as voice phishing, is a social engineering technique used to scam someone over the telephone.
As with every other phishing technique, vishing aims to steal sensitive information and passwords. The fraudster will call claiming to be from an insurance company, bank, telephone company, gas company etc. They will tell you there is an issue with your account and ask you for some personal information in order to “fix it”, hoping the victim reveals their personal ID, passwords etc.
This is how they gain access to access to your bank or other accounts to steal money, do online shopping or begin identity fraud.
How can you protect yourself from vishing scams?
First of all, you should NEVER give out personal details such as login details and passwords over the telephone, your bank or utility companies will never ask you for your password or login ID.
You online banking PIN is yours and no one else should have access to it, a bank will never need it, and so if someone is calling claiming to be your bank and asking for it you should hang up and block the number. No company will ever need your login details to your online accounts, if you receive a call asking for them it is a scam.
SMS phishing, a technique similar to phishing but applied via SMS messages.
As with other phishing scams, the main goal is to access personal information or steal money, the SMS message will usually give you the chance to “win a prize”, or ask you to click on a link to log in into one of your online accounts.
How can you protect yourself and spot a smishing scam?
SMS scams will usually ask you specific questions to gather as much personal information as possible, or ask you to take an action such as clicking on a link or phoning a premium rate number.
As mentioned before in this article, the golden rule is never give away personal credentials and avoid clicking on links, open your browser and search for the website yourself. The link could either redirect you to a fake scam page or download malware to your device.
If the SMS is asking you to call a number, check the number first, it could be a fake number trying to steal money from you.
- CEO/BEC fraud
Not to be mistaken with whaling where the target is the CEO, Chief Executive Officer Fraud, also called Business Email Compromise is a phishing scam usually targeting more junior people in organisations. The email will appear to have come from a senior manager or Director and will contain an imperative, usually requesting that money be transferred into an account immediately. This type of fraud is not always financial in nature, sometimes the scammer will request that the recipient provide passwords, login details or account information.
The cyber criminals may already have delivered malware that enables them to access the organisation’s email infrastructure. This may allow them to send emails from the senior manager’s actual mailbox, if not the sender’s email address will be spoofed to appear genuine.
In serious attacks of this kind the cyber criminals may mimic the senders’ writing style to add authenticity and the emails are often received when the “sender” is away from the office to make verification more difficult.
In the most targeted of cases, the email may be followed up with a phone call from the criminal pretending to be the bona fida recipient of the funds in an attempt to further legitimise the scam.
How can you protect your company?
The key is to recognise that CEO scams are a reality and that any organisation can be a target, this will allow reasonable policies and practices to be implemented.
Unexpected requests to transfer funds or for confidential information should require confirmation by more than one member of staff and, ideally, only following confirmation from the “sender” that the request is legitimate. As with all social engineering attacks, staff awareness training will help identify potential scams.