Social Engineering in 2018
Social Engineering in 2018
A little over a year ago the WannaCry and NotPetya Ransomwares raised havoc across the world causing massive computer outages. A year later these types of attacks are only on the rise and we should expect to see social engineering attacks continue to infiltrate our computer environments. Social engineering is the use of deception to manipulate individuals into divulging confidential or personal information that may be used for fraudulent purposes.
The most commonly used and known form of social engineering attack is email phishing. All organizations (big and small) are susceptible to phishing attempts, even those with the best tools, systems, and training. This is primarily due to email being the most common preferred choice of communication. These types of scams can persuade users to provide sensitive information or install a malicious program such as malware or even run a word or excel macro to obtain data. In addition to email phishing, there are also other forms of social engineering attacks that many organizations and users should be aware of.
Types of social engineering attacks:
- Vishing — Scamming customers via phone calls and asking for credential information. Such as pretending to be the IRS and owing money back in taxes.
- Tip: The IRS will never call you if you owe them money. They will send you a notice in the mail.
- Ransomware — Malicious software or code that usually denies you access to your data. The attacker demands a ransom payment to restore access to the data. Note: even with payment there is no guarantee of access to your data.
- Smsishing — A form of phishing when someone tried to trick you into giving them your private information via text or sms message.
- Phishing websites with HTTPS – Websites that appear on the surface to be secure; however, they maintain a false certificate. There are websites that give out free SSL certificates for attackers to obtain. Users should not assume that all HTTPS websites with SSL certificates are safe.
- Tip: Look for the green bar which means that the website also uses an Extended Validated SSL certificate (EV-SSL). It will show a padlock including the organization’s name and country code.
- Fake / spoofed websites — Attackers can obtain domain names and copy legitimate websites to look real.
- Tip: Limit what you click, manually type in the known web address.
Attackers are constantly improving and exploiting vulnerabilities. Attacks are only going to continue to rise, increase in complexity, and evolve over time into new threats. Organizations can only do so much to prevent being the next target of a cybercrime. Appropriate controls in a layered approach need to be in placed to mitigate these risks. These include adequate staff training, using multi-factor authentication, having the necessary insurance in case of a data breach, proper security tools to detect attacks, etc. When in doubt don’t click – call to confirm the legitimacy using a known valid number, not the number provided in the phishing attempt.
For additional information contact Jeff Johns, the author at firstname.lastname@example.org.