Fraud: The rise of social engineering
Alastair Murray considers how social engineering is being used as a means of committing fraud.
Strong firewalls, anti-malware software and operating system patches are now understood to be a necessity for any business. However, the big issue continues to be human error. It is estimated that fewer than one per cent of attacks are now targeted at system vulnerabilities, with staff curiosity and misplaced trust being the key vulnerabilities exploited by cyber criminals. It seems we just cannot stop clicking on those links and attachments.
One of the top cyber attack methods today is called ‘social engineering’ – the term used to describe a collection of cyber fraud techniques employed to trick companies and individuals into handing over personal data, money and other assets. It manipulates, disrupts and deceives to gain illegal control over IT systems, personal desk top computers, mobile phones and tablets.
A social engineering campaign will identify one or more particularly valuable targets, such as a large corporation, a multi-millionaire, a celebrity or even you. The campaign will gather as much specific information as possible about the target using data sources such as Companies House registers, trade associations, sports and social clubs, schools, universities, social security numbers and social media. Since many individuals now record a lot of their personal details on social media, it is not surprising cyber criminals find so much, so easily.
As office technology becomes the driving force behind businesses of all sizes, the need to protect it from cyber attack grows. The thought of a data loss incident, phishing fraud, Ransomware and social engineering scams is unthinkable, each with the potential to do untold damage to customer relations and levy heavy fines.
The very targeted nature of social engineering means the fraud is likely to be greater and more damaging. With so much data available online today, the task of building a well targeted and convincing ‘socially engineered’ campaign is relatively easy to fool even the most vigilant person.
Below are some of the leading social engineering techniques.
Baiting is a common ploy to tempt an employee’s curiosity by planting a CD or USB somewhere obvious like on a desk or next to a computer. The employee’s curiosity is aroused and they pick it up and insert it into their laptop or desk computer. Soon after or later that day, it will download malware onto the computer. The cybercriminal will have hacked their computer and gained access to log ins, sensitive information and confidential files. This is less common now employees know better than to pick up stray CDs and USBs!
Delivery or diversion theft
This is where deliveries, postal services and couriers are targeted by cyber criminals to trick a delivery firm into making the drop somewhere else; sometimes referred to as ‘round the corner theft.’ The objective is to con the person responsible for a legitimate drop-off to deliver somewhere else.
During the covid-19 pandemic, this has taken a new form where rogue delivery firms disguised as genuine providers like Amazon, DHL and Royal Mail, claim to have a parcel that has not been paid for and promise to deliver it once a fraudulent payment is made. The cyber criminals then put-up a fake bank payment screen and steal the money.
This is usually aimed at men where attractive women are promoted via an online dating site or similar, to trick them into clicking a malicious web link. A person’s curiosity and trusting nature online can be dangerous and lead to many awkward scenarios, which can also be costly.
This is the most notorious cyber crime technique, where criminals seek to steal online usernames, passwords and credit card details, usually via a phishing email which appears to come from a known and trusted provider, work colleague or friend. Bitcoin promotions, utility companies, HMRC and couriers, that each seem genuine and harmless, are increasingly hi-jacked by hackers and fraudsters.
Some of the biggest phishing frauds succeed with no more than a simple email instruction; without any attachments or embedded links. All a scammer needs to do is write a convincing email. Add to this the growing content published on social media by private individuals and firms, it is relatively easy to piece together profiles through which to steal personal data, passwords, identities, cloud system logins and bank details.
Microsoft Office 365 users are regular targets where a phishing email is sent purporting to be from Microsoft requesting the user logs into their Office 365 portal, but which is instead the criminal’s Office 365 login screen tricking the user into submitting their credentials to the attackers. This is where multiple verification methods come in handy.
Firms can protect themselves by applying for the Cyber Essentials Accreditation Certificate. This is like a Kitemark for Cyber Security and asks what security methods are already in place such as firewalls, logins, virus prevention, passwords, data security protection routines, cyber incident reporting, software patching and controls, security policy standards for employees and the use of office technology, including mobiles, which is now incorporated into the ‘Lexcel’ Legal Practice Quality Mark standard for legal professionals.
The government worked with the Information Assurance for Small and Medium Enterprises consortium to create this set of basic technical controls to help organisations protect themselves against common online security threats. The full scheme, launched on 5 June 2014, is backed by industry including the Federation of Small Businesses, the CBI and most insurance companies. Cyber Essentials is suitable for all organisations, of any size, in any sector.
Quid pro quo
You give me something and I will give you something in return. Typically, this will be an email offering a free shopping voucher, a bitcoin sign-up screen or similar, to encourage the user to click to accept or enter. This might include an attachment or an embedded link, which downloads exploit code and their PC becomes infected. This now happens on mobiles.
In one example, a café asks customers to like their Facebook page in return for a free muffin. The customers login to their Facebook pages to ‘like’ the café’s Facebook page. The black van across the road picks up all their personal details which are relayed back to the customers to their great surprise! There are plenty of examples of individuals and firms posting far too much personal and sensitive information online for cyber criminals to pick up.
Rogue virus scans and scareware
Fake or rogue anti-virus, anti-spam and anti-spyware are frequent arrivals in email inboxes, designed to trick the user into downloading or running fake scans which then infect their PCs with malware or ‘hack’ exploit code. Scareware is another malware tactic that cyber criminals use to manipulate users into doing something they do not need to do, perhaps with time limits, expiration or termination threats. This is typically accompanied by a suitably tempting or alarming subject line. These emails should be deleted.
This is where a phishing campaign becomes very specific and targets a particular firm or individual. A spear phishing campaign may take weeks or months of background research by the fraudsters to gather enough information to make their scam convincing enough to work. Having done the research, the target will be attacked and very likely robbed of login credentials and other sensitive data. It sounds completely inconceivable that anyone would go to so much trouble, but they do.
This is another version of phishing where a mobile phone is attacked using a bank’s interactive voice response system to deceive a user into handing over bank logins or similar credentials. The victim is sent a voice activation message to call their bank or similar, usually with a free number to authenticate the details. Some vishing scams will have the attacker call the victim, claiming to be a customer services agent.
This technique takes advantage of websites people regularly visit and trust. The attacker will research the selected group of web users to discover the sites they most regularly visit and seem to trust. The cyber criminal will then look for the vulnerabilities on these sites, such as weak passwords, poor software patching processes or limited authentication procedures, to plant exploit and other nasty code onto the site. It is then a matter of time before one or more of the target users becomes infected with malicious code or is hacked.
Alastair Murray is director at The Bureau the-bureau.co.uk