For a while now, I’ve been meaning to write something about the remote social engineering threat that we all face and here I’ve attempted to explain what social engineering is, how to detect it and some preventative measure that you can take so that you or your company are not taken in.
Social engineering is where malicious people attempt to manipulate others into divulging information which they can then use to perform an attack. They will use technology so they can perform these social engineering attacks remotely such as by phone, email, social media, instant messaging and even from search engine results. Companies or individuals can become the target so everyone is a potential victim.
Remote social engineering can occur in many ways such as; a phone call, a pop up message on your PC, an email or SMS text message. Types of remote social engineering are, hoaxes, phishing and spam.
- Hoaxes are where an attacker will provide some false information in an attempt for you to trust it as legitimate and take a course of action usually resulting in paying for something you don’t require. The hoax will be something like your PC has a virus or you’ve won some money and you are usually expected to pay the hoaxer.
- Phishing is an attack based on misrepresentation where the attacker is pretending to be form a legitimate source in the hope of gaining sensitive or confidential information. Some examples are an email looking like it’s from your bank asking you to verify details or a phone call pretending to be from a company that you trust (including your own company) requesting you to divulge confidential information like a pin number.
- Spam is an attack where you get email, telephone or text messages that you did not request. Spam is usually associated with email or text messages that are sent out to a mass audience but cold-calling either using an automated dialling system or not is also spam. The purpose of spam varies widely but it can often lead to phishing or forms of malware. An example will be an email sent to you offering drugs or a telephone call from a company “in your area” offering you the chance to become a show home for their fitted windows and doors.
Social engineering on your computer
Scammers can try to lure you in with messages popping up on blogs or other sites that you might visit and search engine results can also show malicious websites. Hoax messages will either use human greed or intrigue to suck you in; flashing messages such as “You are our thousandth visitor, click here to claim your prize” or they will use scare tactics such as a pop up identifying a virus on your pc, “click here to run a full virus scan”. They usually can’t infect your computer if you don’t click on them as most (but not all) will require a user action to install.
There are some websites that will infect your computer just by visiting them and this is especially true if you do not keep your browser up-to-date (I always use the latest version and set it to automatically update) and you do not have adequate malware protection. You can get McAfee SiteAdvisor for free and that embeds into your search engine results showing which sites have been tested as good, bad, potentially bad and those that it has yet to check. If you have the live version (currently £14.99) you can have it setup to automatically prevent you from visiting phishing sites or others that have been identified as potentially bad.
Social engineering emails
Attackers will send emails purporting to be from your bank, tax-office or from a commercial organisation in the hope of obtaining your credit card or bank details. They can also be used in the hope that you will give out other personal details.
If you get an email that you suspect to be a hoax, spam or phishing attempt then report it to your anti-virus/anti-spam provider and if you know the spam reporting email address of that organisation, you might want to forward it on to them so they become aware of the attack (if they are not already).
Most anti-malware software integrates with your mail client (such as Outlook or Thunderbird) and allows you to indicate which items are junk/spam and report it automatically. However, don’t just rely on your software to protect you, check out “Stop the scammers: email rules to live by“.
Banks or any other reputable firm will not ask you to open an attachment or to click on a link. The only time they will send you a link is in circumstances where you have requested something (such as a newsletter) or taken an action on their website (such as a forgotten password function). If you accidently clicked on a link, close your browser immediately, check your device for malware before going to the company’s legitimate website (not the phishing website) to see if any action is needed.
Social engineering telephone calls
Attackers will try to get you to buy a service or something else and these might be from legitimate companies that have bad marketing practices (I include cold-calling as a bad marketing practice).
Another type of attack is aimed directly at companies and the caller will pretend to be from that company in order to obtain confidential information. This is known as spear phishing and employees should always be aware of these types of attacks and should never give any non-public information out over the phone. Directors are particularly vulnerable and sought after in spear phishing attacks as they tend to be the ones to skip company security training sessions. Unless you have an internal telephone system that shows the call in coming from another extension at your office then it’s best to suspect that everyone is out phishing. One tactic is to ask them their name and extension and tell them that you will get back to them, then check the internal telephone list for that person.
Other types of remote social engineering
Social media sites such as Facebook or Twitter or IM/SMS message attacks will all have one thing in common, they will all be out to get personal or confidential information from you. This might be done subtly by connecting with you on another topic first of all to try and gain your trust so I would suggest that the best thing to do is just not respond.
I know that’s not very social of me but I know who my friends are and our relationships have been built over many years. On Facebook I only accept friend requests from people I know (i.e. friends and family) and I only click on the links in posts from those people or the companies that I follow. Quite often links are shortened (particularly on Twitter) so you do not know where you will be redirected to. Clicking on a link in an amusing post might not turn out so funny when something bad happens to you or your computer.
On your mobile phone, you might receive a message with a fun sounding question/game to play (known as “bait-and-switch games”) and upon entering the information unwittingly subscribe to a dubious service that charges you a small fortune each month. It might seem boring but don’t take the bait. Take my advice and believe that nothing is truly free, there is always a catch and hopefully that catch is only that someone has shown you an advertisement and not emptied your bank account.
Tips to avoid remote social engineering
- Make sure you use the latest security patched software, browsers and your anti-malware suite is up-to-date.
- Use a secure search on your PC and don’t visit risky websites and be very careful with unchecked sites.
- Never open email attachments or click on links in emails unless you requested them (even if they look like they come from a friend or a professional organisation).
- Never believe the person who is calling is who they say they are – ask for their identity, get the official telephone number (not from them) of the organisation they are calling from and ring them back.
- Never buy anything from anyone who rings you up – regardless of whether you are actually interested in what they are selling. Do your own research and buy from who you want when you are ready.
- It’s better to be anti-social by ignoring friend requests, IM or SMS messages from people you don’t already know than becoming a victim. Check out other posts made on social media by that person before deciding to engage with them.
- Don’t blindly trust shortened links on social media from people you don’t know, they could be hiding a link to a malicious website.
- Remember, nothing is free – there is always a catch. The scammer would not be bringing it to your attention if there was nothing in it for them.