What is Social Engineering?
Social engineering cyberattacks that include psychological manipulation to trick employees into sharing sensitive data. These types of attacks take time as severe research into the victim has to be carried out. These attacks rely on human interaction and can be conducted via email, phone call, SMS, instant messaging or in-person communication.
Social Engineering Strategy
The first step of a social engineering attack is the investigation. To make sure the attack can be successful the cybercriminal needs to have an understanding of the employee and its business. This step is known as open-source intelligence (OSINT) gathering, as the collection of data is gathered from publicly available sources. This data can be gathered from social media or company websites.
Once the cybercriminal has researched their target, the step known as the hook begins. This is where the attacker will try to engage with the target and try to start to build trust. A method to develop trust is reciprocity. The attacker gives the target some information or does a favour for them, knowing that in the future the victim will be more likely to reciprocate and share sensitive information.
Now the attacker will have their foot in the door. The next step is attack. This could be a phishing attack, malware attack etc. Depending on how effective the investigation and hook were, the target may not even realise they are under attack.
The final stage is to exit. The attacker will cover their tracks by removing any traces of malware. They will also end their relationship with the victim.
Examples
To portray the potential fallout from a social engineering attack, and some of the common forms of attack, we have 3 examples.
DoL Brand Impersonation
At the backend of 2021, INKY detected several phishing emails that were impersonating the United States Department of Labor (DoL). These emails were aimed at stakeholders asking them to submit a bid for a government project. In order to bid they had to open a PDF and click the ‘BID’ button. This took the victim to a harmful website, with the same HTML and CSS as the real DoL website. They were prompted to log in with their Microsoft 365 credentials, and upon submission, the hacker was able to steal all the credentials, without the victim even knowing.
Source: INKY
AI-Based Vishing Targeting UK Energy Firm
A UK-based energy firm was contacted by who they thought was their boss, demanding a €220,000 bank transfer to a Hungarian supplier. The call did not raise suspicion for the CEO, as the person on the other end of the phone had the same accent and intonation as his German boss. However, this was not the case, as it is believed that the voice on the other end of the phone was an AI-based voice generation software.
Business Email Compromise Costing Facebook and Google $100 Million
A Lithuanian man crafted the largest social engineering attack of all time. He created a fraudulent company, pretending to be a computer manufacturer working with Google and Facebook. He then targeted specific individuals within those two companies, invoicing them for goods and services that a real manufacturer had provided.
Over 2 years, the man was able to fraudulently obtain over $100 million from Facebook and Google and was only caught 2 years after the attack.
How to Protect Yourself
Phishing emails are the most common form of cyberattacks. Businesses should look to implement complex email security solutions to protect themselves form phishing attacks. MFA (Multi Factor Authentication) is important for all businesses. This simple control can stop 99.9% of account compromise attacks and does not take long to enable. With MFA, even if an employee shares their password with a bad actor, they will not be able to log in without the additional authentication method.
These are just a couple of ways to help protect yourself, please contact us to find out more.
Previous
