Social Engineering at Work: Part 1 – Impersonation
Persuasion is part of life. We all try to persuade friends and loved ones to act in a certain way, usually with the best of intentions.
Social engineering is when “persuasion” takes a darker turn. In a broad sense, it includes any action that attempts to influence a person to act against their best interests.
Technically, acts that influence people to behave within their own interests is also social engineering. However, the term is used almost exclusively within the context of fraud, scams, and cyber crime.
Con artists are master social engineers. So are modern hackers who rely on spam and phishing — and they have a few new tricks up their sleeves.
Social Engineering Tactics
In a series of four blogs, I’ll describe some of the most common social engineering tactics used today in cyber crime.
In the real world, cyber attacks do not fit into neat categories. Instead, each is unique, often combining multiple channels and tactics.
While categorization is helpful to understand the nature of the beast, remember that many of these tactics will overlap in the wild.
Impersonation
Impersonation is one of the most common types of social engineering. Obviously, it’s when an attacker presents himself or his communication as originating from another party.
Attackers routinely impersonate authority figures – such as police officers or CEOs – knowing many people are quick to follow orders from authority, as has been proven in psychological experiments.
Many other roles are impersonated: lottery officials, wireless service reps, government officials, coworkers, family members – the list is nearly infinite.
Remote tech support scams
Phone scams are nearly as old as telephones. In a typical scam, the attacker calls the victim, poses as someone else, and uses a false pretense to con the victim into sending payment.
In recent years, the tactics have been used for cyber crime.
Tech support scams are a common example. The attacker calls posing as an employee from Apple, Dell, or Microsoft and claims the victim has a malware infection or other tech problem.
Rather than conning the victim into sending payment, the attacker walks them through the steps to allow a connection to their computer through a remote desktop app.
Once attackers are in, they do as they please, typically installing ransomware.
Some attackers take a multi-pronged approach. Posing as the IRS, one group called victims and demanded either payment or computer access immediately.
Legitimate companies do not call to inform you of an attack and offer to walk you through the process of fixing it. That doesn’t happen in real life. If there were such an issue, you’d receive notice via email, and you would contact your IT support team to resolve it.
Emergency email from the boss
Business email compromise (BEC) scams – which have accelerated in recent years – are an example of impersonation used to devastating effect.
In a typical BEC scam, the attacker has intimate knowledge of the target business, including who is authorized to send wire transfers and how the transfers are initiated.
The attacker targets this person, sending them an email purporting to be from their boss (either by compromising or spoofing the boss’ email). The email requests a large wire transfer to the attacker’s account.
The email is crafted to mimic prior wire requests. It may also inject a sense of urgency, which is a common marketing technique, by adding “I need this handled ASAP.”
It goes without saying, that anytime you are asked to wire money – even if it’s an urgent request from your boss – verify it directly with your boss, or a trusted person who would know if the request was legit.
What You Can Do About It
First, always be aware that these scams exist and keep your guard up. More importantly, partner with a trusted IT service company, who takes on the job of protecting your business from cybercriminals.
For more information, a security assessment, or help training your employees on cyber safety, call mPowered IT 678-389-6200.