A Field Guide to “Social Engineering” Cyber Scams

by

cursor-clicks-red-VIRUS-button-300x225

Any hobbyist will tell you that a proper guide is a must to mastering a craft.  However, a hobby is a part-time occupation; most of us know that our businesses need full-time attention. Because cybersecurity threats can impact core business activities, addressing those threats, especially those known as “social engineering” and cyber scams, is not a mere pastime — it’s a full-time job.

Bad actors use social engineering — the practice of using human interaction (or simulated human interaction) to gain trust — to obtain passwords, access or other information about a company and its security and computer systems. Most notably, “phishing” is a form of social engineering in which emails or websites pose as known and trusted organizations (such as a customer, credit card company or utility) to trick a target consumer. Because the consumer views the organization as a trusted brand, the consumer is more easily duped into providing user information that could compromise their data security.

Fighting bad actors who use social engineering requires constant attention, especially as hackers become more sophisticated.  To keep you informed, here’s an abbreviated field guide of what you might see in the wild this season.

Phishing: Phishing is the most common type of social engineering cyber scam. Attackers use emails, text messaging or social media outreach to trick victims into providing the desired sensitive information, or to visit a seemingly innocent but malicious site, where their system or security can be compromised.

Many phishing scams present the target with a sense of urgency, such as, “update your password now or lose access to your account.” In the wake of  GDPR requirements, some ironically pose as trusted sources asking for approval for or recognition of privacy policy updates. Some distinguish phishing (think of catching many fish in a large trawling net) from spear phishing, in which a specific individual or small groups of individuals are targeted. Either way, it can end poorly for the phished.

Pretexting: In pretexting, scammers will assume the identity of a professional likely to come into contact with the target, such as a vendor, supplier, or outside IT support professional. In the most sophisticated scams, there is conversation that builds trust and lures the victim into providing the desired information.

Baiting: In baiting scams, victims are lured into doing something that they perceive as good, such as creating two-factor authentication, updating software or applying an emergency “patch” to fix a newly discovered security flaw. Baiting is also as simple as disseminating infected software on the USB of a trusted brand, and making those physically available, such as at a trade show exhibit table.

Quid Pro Quo: In these attacks, criminals offer a service in exchange for the desired electronic information. For example, it might be a malware scan or software upgrade. For knowledge workers, it might be access to a white paper, or the offer to exchange valuable industry data in exchange for participating in a short survey.

Watering Hole: In a watering hole attack, scammers inject malicious code into the public web pages of a site the target frequently visits and wait for their targets to come to them. The victim’s interaction with the trusted infected site becomes the opportunity to gain access to the desired information or system.

Whaling: You could consider whaling a combination of a phishing and watering hole attack (a surf-and-turf danger, if you will). Whaling attacks target specific high-level executives (the corporate big fish) to gain confidential information, personal data or access credentials of otherwise highly secured individuals. Whaling is much like spear phishing attacks, but take the form of critical business emails sent from a legitimate authority, such as a fellow executive or those from important outside organizations.

Tailgating: Tailgating is the physical act of unauthorized entry of a person following an authorized entrant. This could be a delivery person fumbling with an armful of packages who waits to an authorized entrant with a security badge to hold the door open for them. Like baiting, tailgating preys on our willingness to help others.

Companies stand the greatest chance of spotting these predators in the field by equipping their employees with the knowledge to identify and report threats. Conveying updated, engaging information to your workforce about the latest social engineering scams is an important first step.

 

Robert E. Braun is the co-chair of the Cybersecurity and Privacy Law Group at Jeffer Mangels Butler & Mitchell LLP. Bob helps clients to develop and implement privacy and information security policies, negotiate agreements for technologies and data management services, and comply with legal and regulatory requirements. He helps clients to develop and implement data breach response plans, and he and his team respond quickly to clients’ needs when a data breach occurs. Contact Bob at RBraun@jmbm.com or +1 310.785.5331.

JMBM’s Cybersecurity and Privacy Group counsels clients in a wide variety of industries, including accounting firms, law firms, business management firms and family offices, in matters ranging from development of cybersecurity strategies, creation of data security and privacy policies, responding to data breaches and regulatory inquiries and investigations, and crisis management. The Cybersecurity and Privacy Group uses a focused intake methodology that permits clients to get a reliable sense of their cybersecurity readiness and to determine optimal, client-specific approaches to cybersecurity.