Social Engineering Header_v3

Social Engineering

Social engineering attacks include phishing, spear phishing, CEO fraud, ransomware and more. Learn about different attack methods and how you can manage this ongoing problem.

Watch the Video

What is social engineering?

Social engineering is the art of manipulating, influencing, or deceiving you in order to gain control over your computer system. The hacker might use the phone, email, snail mail or direct contact to gain illegal access. Phishing, spear phishing, and CEO Fraud are all examples.

Social Engineer

OK, so who are these people? It could be a hacker in the USA who is out to do damage or disrupt. It could be a member of an Eastern Europe cybercrime mafia that is trying to penetrate your network and steal cash from your online bank account. Or, it could be a Chinese hacker that is trying to get in your organization’s network for corporate espionage. 


Video AMA with Kevin Mitnick on all things Social Engineering

KnowBe4's Chief Hacking Officer, Kevin Mitnick, sat down with our team for an exclusive interview where we could ask him anything. We thought you’d like to hear his answers, too. Ever wonder what he thinks about social engineering and pen testing, how he got into the business, why he works with KnowBe4? Find out now, it's 7 minutes well spent!

 


Top 10 Techniques Used By Social Engineers

Understanding the different attack vectors for this type of crime is key when it comes to prevention. This is how the bad guys do it:

Pretexting

An invented scenario is used to engage a potential victim to try and increase the chance that the victim will bite. It's a false motive usually involving some real knowledge of the victim (e.g. date of birth, Social Security number, etc.) in an attempt to get even more information.

Diversion Theft

A 'con' exercised by professional thieves, usually targeted at a transport or courier company. The objective is to trick the company into making the delivery somewhere other than the intended location.

Phishing

The process of attempting to acquire sensitive information such as usernames, passwords, and credit card details by masquerading as a trustworthy entity using bulk email which tries to evade spam filters. Emails claiming to be from popular social web sites, banks, auction sites, or IT administrators are commonly used to lure the unsuspecting public. It’s a form of criminally fraudulent social engineering. Also see Spear Phishing.

Spear Phishing

A small, focused, targeted attack via email on a particular person or organization with the goal to penetrate their defenses. The spear phishing attack is done after research on the target and has a specific personalized component designed to make the target do something against their own interest. Here is more about how they do it.

Water-Holing

This technique takes advantage of websites people regularly visit and trust. The attacker will gather information about a targeted group of individuals to find out what those websites are, then test those websites for vulnerabilities. Over time, one or more members of the targeted group will get infected and the attacker can gain access to the secure system.

Baiting

Baiting means dangling something in front of a victim so that they take action. It can be through a peer-to-peer or social networking site in the form of a (porn) movie download or it can be a USB drive labeled “Q1 Layoff Plan” left out in a public place for the victim to find. Once the device is used or malicious file is downloaded, the victim’s computer is infected allowing the criminal to take over the network.

Quid Pro Quo

Latin for 'something for something', in this case it's a benefit to the victim in exchange for information. A good example is hackers pretending to be IT support. They will call everyone they can find at a company to say they have a quick fix and "you just need to disable your AV". Anyone that falls for it gets malware like ransomware installed on their machine.

Tailgating

A method used by social engineers to gain access to a building or other protected area. A tailgater waits for an authorized user to open and pass through a secure entry and then follows right behind.

Honeytrap

A trick that makes men interact with a fictitious attractive female online. From old spy tactics where a real female was used.

Rogue

Also Rogue Scanner, rogue anti-spyware, rogue anti-malware or scareware, rogue security software is a form of computer malware that deceives or misleads users into paying for the fake or simulated removal of malware. Rogue security software, in recent years, has become a growing and serious security threat in desktop computing. It is very popular and there are literally dozens of these programs.

Phishing Security Test Results Screenshot

Did you know that 77% of successful social engineering attacks started with a phishing email?

Find out what percentage of your employees are Phish-prone™ with your free Phishing Security Test. Plus, give them point-of-failure training using our Social Engineering Indicators feature. 

Go Phishing Now!

Real-World Examples

Phishing

A classic example is the tech support scam, and it comes in many varieties and levels of sophistication.

Over the past few years online service providers have been proactively messaging customers when they detect unusual activity on their users' accounts. Not surprisingly, the bad guys have used this trend to their advantage. Many of the emails are designed poorly with bad grammar, etc. but others look legitimate enough for someone to click if they weren't paying close attention.

Consider this fake Paypal security notice warning potential marks of "unusual log in activity" on their accounts:

Paypal Phishing Email - Fake Security Notice

Hovering over the links would be a dead giveaway that this is a phishing email, but enough targeted users click without thinking and scams like this continue. 

Spear Phishing

In a spear phishing attack, threat actors use a deep knowledge of the potential victims to target them, and that approach allows them to tailor the attack. These emails are more convincing and harder to detect than regular phishing emails. The attacker knows exactly who and what they're targeting.

Unlike mass phishing emails which may be attempting to distribute ransomware or gather individual login credentials to make a quick buck, spear phishers are normally after confidential information, business secrets, etc.

CEO Fraud

Here's an example of a CEO fraud attempt targeted at a KnowBe4 customer. She received an email from an individual purporting to be the president of the company. The employee initially responded, then remembered her training and reported the email via our Phish Alert Button, alerting her IT department to the fraud attempt.

When the employee failed to proceed with the wire transfer, she got another email from the bad guys, who probably thought they had her fooled:

CEO Fraud Phishing Email Example

Because this employee had gone through proper security awareness training, she was able to keep her company out of the headlines. This was a close call though, and not everyone is that lucky!

Social Media

Cybercriminals create bogus profiles on social media and try to trick you. They will impersonate a celebrity or one of your friends or colleagues. These profiles look very much like the real thing, and it’s easy to get tricked. They try to impersonate a celebrity that the bad guys already know you like a lot.

Let’s say you were tricked into believing a bogus Social Network profile. The next step is that they try to make you click on a link or install malicious software, often something to watch a video or review photos. If you click, or do that install, it’s highly likely you will infect your desktop with malware that allows the attacker to take over your PC.

How many of your users will take the bait and reply to a spoofed email?

Did you know that 60% of spoofed email attacks do not include a malicious link or attachment? KnowBe4's new Phishing Reply Test makes it easy for you to check to see if key users in your organization will reply to a highly targeted social engineering attack, before the bad guys do.

Test Your Users

Phishing Reply Test

Attacks

You may have heard of Norton antivirus, published by Symantec. The technical director of Symantec Security Response said that bad guys are generally not trying to exploit technical vulnerabilities in Windows. They are going after you instead. “You don’t need as many technical skills to find one person who might be willing, in a moment of weakness, to open up an attachment that contains malicious content.” Only about 3% of the malware they run into tries to exploit a technical flaw. The other 97% is trying to trick a user through some type of social engineering scheme. This means it does not matter if your workstation is a PC or a Mac. The last line of defense is… you guessed it: YOU! 

Social-Engineering-Threat-Landscape.jpg

Examples of each factor in the threat landscape: 

Email

• Phishing
• Spear phishing
• CEO fraud (aka Business Email Compromise or BEC)

Social Media and Internet

• Reconnaissance
• Fake friends
• Watering hole attacks
• Use of breach data

Trends

• Ransomware
• Pseudo-ransomware
• False flag operations
• Extortion
• Automation
• Search result poisoning

Criminal Groups

• Malicious insiders
• Organized crime
• Hacktivists
• Nation states
• Terrorists

Attack Vectors

• Physical on-site attacks
• Endpoint
• Mobile
• Network
• Cloud
• IoT

2020 Cybersecurity Threat Predictions

KnowBe4 has compiled a list of its top cybersecurity predictions for 2020 from its executive leadership team and array of security awareness advocates from around the world:

  • Federal legislation will be passed that makes ransomware infections of over 500 records automatically a data breach with all the resulting disclosure requirements and legal expenses as a data breach.
  • Everyone will still be vulnerable and likely exploited through traditional social engineering vectors like phishing and pretext calling.
  • AI-driven social engineering attacks, especially adopting voice-changing technology to hijack a person’s voice to further fraudulent schemes. 
  • More sophisticated supply-chain attacks in corporate environments wherein hardware implants are installed that are extremely difficult to detect.
  • Further balkanization of the internet and its services. Countries like China have traditionally maintained its own infrastructure, however we have seen political issues spill out to the cyber realm, with companies like Kaspersky and Huawei being banned in the U.S. We will likely see more products and services having to be tailored for local requirements and regulations.
  • A nation-state will decide to make a point and flex their cyber muscles by initiating large-scale manipulation of everyday consumer IoT products. In addition to the general panic and unease that is caused, other – even more serious – impacts will reign across power grids and aspects of critical infrastructure.
  • Social engineering and unpatched software will remain the top two root causes for successful exploits as they have been for more than 30 years. Everyone knows they are the top two causes, but most of the world will not treat them like the top threats they are. Instead, they will be mostly ignored or weakly mitigated while most of the world concentrates their resources on things less likely to happen.
  • Highly targeted multi-vector attacks will emerge. The bad guys are building increasingly more complex attacks to combat the increasing layers of defense. While defensive measures are not yet sufficient in battling various attacks, the bad guys are always looking to increase the efficiency of their attack methods. Combining a multi-attack vector to chain-link attacks is an excellent way to increase efficiency and reduce the cost of an attack, which allows them to scale up.
  • CEO fraud will escalate and cause major disruption to day-to-day activities globally, leading to the addition of mandatory new-school security awareness training and testing in business, academia, industry and government. This will, in turn, result in collaboration and sharing of ‘near misses’ related to cyber threats more than ever. At present, there is a lot of caution with sharing such information.
  • Deepfake technologies will be used to attempt to influence the 2020 elections in the United States and beyond. Fake videos and audio will be released close to the election time in order to discredit candidates or to swing votes. While these will be proven as fakes fairly rapidly, undecided voters will be influenced by the most realistic or believable fakes.
  • The use of the term security culture will continue to increase as more organizations understand what it takes to reduce risk and manage security in their workforce. A combination of training, assessments and a structured process is being implemented to manage the human factors that influence security.
  • As energy facilities continue to be targeted for cyber attacks, the need for Operation Technology (OT) departments and Information Technology (IT) to collaboratively solve the cybersecurity issues will be an increased importance for organizations. They will need to collaborate with their own corporate Security Operations Center (SOC) or utilize virtual SOCs to continually monitor their SCADA or DCS networks monitoring network activity and assets connecting and disconnecting from the networks.

2020Predictions-Webinar

Watch The 2020 Security Trends Webinar! 

To help you master the challenges IT Professionals like you may face in the coming year, KnowBe4 Evangelists, Roger Grimes, Javvad Malik and Erich Kron, share their individual top predictions and discuss where the future of security awareness is heading in 2020.

Watch Now

How Bad Guys Can Hijack Your Accounts

Can hackers spoof an email address of your own domain?

Are you aware that one of the first things hackers try is to see if they can spoof the email address of your CEO? This type of social engineering attack difficult to defend against because they don't contain malicious attachments or links.

Try To Spoof Me!

Domain Spoof Test

How can you prevent attacks?

We've pulled together some resources to help you defend against social engineering attacks. A good place to start is ensure you have all levels of defense in depth in place. Keep reading below to find out how you can make yourself a hard target, get additional content for yourself and your users and stay up to date with social engineering in the news via our blog.

Social engineering attacks, including ransomware, business email compromise and phishing, are problems that can never be solved, but rather only managed via a continued focus on security awareness training. Watch this video interview with Stu Sjouwerman as he explains why this is an ongoing problem and the steps required to manage it: 

  1. Start with a baseline phishing security test to assess your organization's baseline Phish-prone™ percentage
  2. Step users through interactive, new-school security awareness training
  3. Run frequent simulated social engineering tests to keep users on their toes with security top of mind

 


10 Ways To Make Your Organization A Hard Target 

You could spend a fortune purchasing technology and services, and your network infrastructure could still remain vulnerable to old-fashioned manipulation.”
— Kevin Mitnick

Email Exposure Check Pro

Have your users made you an easy target for social engineering attacks?

Many of the email addresses and identities of your organization are exposed on the internet and easy to find for cybercriminals. With that email attack surface, they can launch spear phishing, ransomware and other social engineering attacks on your users. Our Email Exposure Check identifies the at-risk users in your organization.

Get Your Free Report

Social Engineering Tip Sheets 

These infographics will show your users what to watch out for in emails as well as on mobile devices. We recommend you print these out, they are great at-desk reminders!

On-Demand Webinars

Spotting the Gaps: Is Your Traditional Security Stack Giving You a False Sense of Security?

In this exclusive webinar Kevin Mitnick, the World's Most Famous Hacker and KnowBe4's Chief Hacking Officer, and Perry Carpenter, KnowBe4's Chief Evangelist and Strategy Officer, show you shocking examples of significant vulnerabilities that social engineers and hackers use to circumvent traditional security layers and gain a back-door right into your organization.

Watch Now

The Social Engineering Battlefront Webinar

The Social Engineering Battlefront

There is one constant in the security world: attackers continue to evolve their methods as the defenders find ways to thwart social engineering attacks. Get an analysis of hacker methods as well as practical advice to help protect your organization.

Watch Now

Exposing the Dirty Little Secrets of Social Engineering Webinar

Exposing the Dirty Little Secrets of Social Engineering

Kevin Mitnick and Perry Carpenter share social engineering insights and experiences. These will help you defend against social engineering threats posed by the bad guys and keep them from manipulating your unsuspecting users.

Watch Now

10 Incredible Ways You Can Be Hacked By Email Webinar

10 Incredible Ways You Can Be Hacked By Email

Email is still the #1 attack vector the bad guys use. A whopping 91% of cyberattacks start with a phishing email, but email hacking is much more than phishing and launching malware! See 10 ways hackers social engineer your users into revealing sensitive data

Watch Now


Social Engineering In The News

New Potential Phishing Scam Begins with A Phone Call

A recent suspicious phone call was brought to our attention. It looks to be the beginning of a phishing campaign and demonstrates the lengths cybercriminals will go to in order to ensure success.

70% to 90% of All Malicious Breaches are Due to Social Engineering and Phishing Attacks

If you’ve heard me speak the last two years, read any of my articles, or watched any of my webinars, you’ve probably heard me say, “Seventy to ninety percent of all malicious breaches are due to social engineering and phishing!” I say it all the time beca...

The Dilemma: Should you phish test during the COVID-19 pandemic?

By Perry Carpenter,  KnowBe4 Chief Evangelist and Strategy Officer. There’s no question, these are challenging times. Employees and organizations around the world are doing their best to keep everyone safe and settle-in to a new normal for accomplishing w...

Get the latest about social engineering

Subscribe to CyberheistNews