5 social engineering assumptions that are wrong
Cybercriminals continue to launch creative social engineering attacks to trick users. Meanwhile, social engineering misconceptions are exacerbating the risks of falling victim.
Social engineering is involved in the vast majority of cyberattacks, but a new report from Proofpoint has revealed five common social engineering assumptions that are not only wrong but are repeatedly subverted by malicious actors in their attacks.
Commenting on the report’s findings, Sherrod DeGrippo, Proofpoint’s vice president threat research and detection, stated that the vendor has attempted to debunk faulty assumptions made by organizations and security teams so they can better protect employees against cybercrime. “Despite defenders’ best efforts, cybercriminals continue to defraud, extort and ransom companies for billions of dollars annually. Security-focused decision makers have prioritized bolstering defenses around physical and cloud-based infrastructure, which has led to human beings becoming the most relied upon entry point for compromise. As a result, a wide array of content and techniques continue to be developed to exploit human behaviors and interests.”
Indeed, cybercriminals will go to creative and occasionally unusual lengths to carry out social engineering campaigns, making it more difficult for users to avoid falling victim to them.
Here are five social engineering misconceptions exacerbating attacks, as presented by Proofpoint…
Vishing (voice phishing) is a form of attack that attempts to trick victims into giving up sensitive personal information over the phone.
What is vishing?
Vishing is a form of attack that attempts to trick victims into giving up sensitive personal information over the phone. While that makes it sound like an old-fashioned scam, vishing attacks have high-tech elements: they involve automated voice simulation technology, for instance, or the scammer may use personal information about the victim harvested from earlier cyberattacks to put them at ease.
No matter what technology is used, the setup for the attack follows a familiar social engineering script: An attacker creates a scenario to prey on human emotions, commonly greed or fear, and convinces the victim to disclose sensitive information, like credit card numbers or passwords. In that sense, vishing techniques mirror the phishing scams that have been around since the 1990s. But vishing calls exploit the fact that we’re more likely to trust a human voice — and may target the elderly and technophobic who are naive and have no experience with these types of scams.
Vishing statistics
These notable numbers offer a sense of the state of vishing and why it can be a lucrative business for attackers.
- Vishing attacks have been on the rise over the past few years. In 2018, scam calls represented nearly 30% of all incoming mobile calls.
- So it shouldn’t come as a surprise that this weird term is starting to be more widely recognized. Proofpoint’s 2020 State of the Phish report found that 25% of workers in their worldwide survey could correctly define the term.
- 75% of scam victims report that vishers already had some personal information about them, which they used to target them and get yet more information.
- Of people who report government imposter vishing scams to the FTC, only 6% had actually lost money — but those who did lost quite a bit, with the median loss being $960.
Vishing vs. phishing vs. smishing: What’s the difference?
Phishing is the granddaddy of them all, and CSO has a complete explainer with all the details, but in essence it involves sending targeted email messages to trick recipients. “Phish” is pronounced just like it’s spelled, which is to say like the word “fish” — the analogy is of an angler throwing a baited hook out there (the phishing email) and hoping you bite. The term arose in the mid-1990s among hackers aiming to trick AOL users into giving up their login information. The “ph” is part of a tradition of whimsical hacker spelling, and was probably influenced by the term “phreaking,” short for “phone phreaking,” an early form of hacking that involved playing sound tones into telephone handsets to get free phone calls.
Volume 0%
Vishing is, essentially, phishing via phone calls. Just as phishing is considered a subset of spam, so vishing is an outgrowth of VoIP spam, also known as spam over telephony, or SPIT. The term “vishing” itself has been around since the late ’00s.
“Smishing” is a similar type of attack that uses text messages instead of emails or voice calls; the word is a portmanteau of “SMS” and “phishing.” For more on smishing, check out our explainer on the subject.
Vishing techniques
Almost all vishing attacks have a few things in common. The phone calls are initially placed via voice over IP (VoIP) services, which makes them easier for the vishers to automate some or all of the process and more difficult for victims or law enforcement to trace. And the attackers’ ultimate goal is to profit from you in some way — either by harvesting bank account information or other personal details they can use to access your bank accounts, or by tricking you into paying them directly…
As people around the world are faced with fears and concerns over the COVID-19 virus, criminals are also taking note. And unfortunately, they are using this as an opportunity to try and steal money and personal information by generating social engineering scams via email, text, and phone calls.
Over the past few weeks, there has been an increase in attempts to lure unsuspecting victims into going to malicious sites, clicking on malicious links, or providing personal information over the phone under the auspices of COVID-19. Many of these scams attempt to impersonate legitimate organizations, such as the Center for Disease Control or the World Health Organization, by offering fake informational updates and even promises of access to vaccines – all for a price, of course!
Social engineering constantly preys on the only vulnerability that cannot be patched, humans – you and me
Moreover, nobody is safe from these efforts – from administrative employees, contractors, and interns on up to the C-Suite and even business partners can be targets to obtain access to our networks and sensitive information. And for those of us now connecting to the office through our home networks, even our children are potential targets. It is a perpetual bombardment, every day, every minute of the day, 24/7/365.
Threat actors prefer the path of least of resistance. They hack the psyche of targets (who rarely realize the disguises) as well as rely on publically available intelligence and interactions to generate victim profiles. Cybercriminals are experts in the art of masquerading, manipulating, influencing, and devising lures to trick targets into divulging sensitive data, and/or giving them access to our networks and/or facilities.
Why waste an expensive 0-day when social engineering is so effective?
Understanding the primary attack vectors used by the adversary is key when it comes to deterrence; examples of social engineering based attacks include the following.
Digital Attacks
- Phishing/Spearphishing – Email-based attacks that target everyone or a specific person or role within an organization in order to entice individuals to click on malicious links or enter credentials or other personal information.
- Social Media Deception – Adversaries create fake profiles to befriend victims while posing as a current or former co-worker, job recruiter, or someone with a shared interest on social media, especially LinkedIn. Their goal is to trick the victim into providing sensitive information or downloading malware to their device.
- Pretexting – Attackers focus on creating a good pretext, or a false but believable fabricated story, so that they can use it to pretend to need certain information from their target in order to confirm their identity.
- WaterHoling – An attack strategy where attackers gather information about a targeted group of individuals within a certain organization, industry, or region as to what legitimate websites they often visit. Attackers look for vulnerabilities in these sites in order to infect them with malware. Eventually individuals in the targeted group will visit those sites and then become infected.
Phone Based Attacks
- Smishing – A text-based message attack that impersonates a legitimate source in order to lure a victim into downloading viruses and malware onto their cell phone or other mobile device.
- Vishing – Phone-based attack in which adversaries call a cell phone pretending to be from a legitimate source, such as a bank, as a means to try and convince the target into divulging sensitive information such as credit card information or social security numbers. Tactics used by these scammers often rely on what’s known as “caller ID spoofing”. ID spoofing allows them to generate phone calls that appear to be from a legitimate or local sources.
June 25, 2017
Tech support and IRS scams have become as common as random emails proclaiming that you’ve won the lottery, or emails from prince in some foreign land who wants to share their wealth.
The IRS scams start with a voice mail threatening a lawsuit or arrest, and the tech support scams will sometimes appear at random online via pop-up ad. One potential victim in both situations used a bit of code to take matters in their own hands…