Social Engineering

Solutions to Defend Against Social Engineering, Phishing, CEO Fraud....

Social Engineering Defined

Social engineering refers to psychological manipulation of people into performing actions or divulging confidential information. A type of confidence trick for the purpose of information gathering, fraud, or system access, it differs from a traditional “con” in that it is often one of many steps in a more complex fraud scheme. Social engineering is often associated with phishing, social website scraping and watering hole attacks.

Step1: Reconnaissance: Harvest information for targeted attacks

  • In the case of harvested information, social engineering is frequently the first step of sophisticated multi-step attacks. Complex social engineering attacks like advanced persistent threat attacks (APTs), CEO fraud, crypto currency attacks, and any targeted cyber-attack will use social engineering as a first step.
  • Frequent reconnaissance methods include:
    • Harvesting information from social websites: Facebook, Twitter, LinkedIn, Public posts online by your company, partner companies, vendors, news organizations, member associations etc.
    • Communicating with employees by email, text messaging, or phone to gather targeted information
    • Stealing personal information from your PC, smart phone or company servers
  • Once this information is in hand, a targeted attack on individuals can be initiated that causes the victim to perform the desired behavior.

Step 2: Cause individuals to initiate a particular behavior leveraging what you know from harvested information.

This behavior will result in an infection that becomes the next step in the cyber-attack process. Frequent attack methods leveraging harvested information include spear phishing, CEO fraud, and water hole attacks. Actions elicited from individuals that drive infections include:

  • Clicking in an email link that leads to an infected website
  • Opening an email attachment that leverage computer software flaws that cause your computer to become infected
  • Visiting a particular infected website and frequently a request to enter login credentials or private information
  • Unauthorized, but familiar requests to send money or send confidential information to a 3rd party or bank (CEO Fraud) leveraging what you know about normal ordinary internal transactions.

We would love the opportunity to work with you in
the way that is most productive for your company.

Contact us to let us know how we can help you today.

Helping Companies Secure their Businesses Since 2003! What are you waiting for?

X