The Biggest Threat to All Data, Everywhere

Even the world’s most secure systems have the same common vulnerability as every other secure system in the world — people. Most cybercriminals target humans, not systems, to gain access to your most sensitive data. 

Social engineering and phishing are among the most commonly used cyberattack strategies in the world for good reason: they work really well. 

Social Engineering and Phishing

Social engineering is a cybersecurity threat that uses the manipulation and deception of authorized users to gain unauthorized access to your secure data. By posing as a vendor, coworker, customer or authority figure, criminals gain physical or virtual access to your system and data. These convincing criminals may also perform extensive research, using publicly-available information, and social media to develop a convincing and successful angle.  

Phishing is a technique in which a fraudulent email (like common spam) is used to obtain the recipient’s usernames, passwords, payment card information or other personal details. These emails are often designed to appear as though they came from a trusted source such as a bank, auction site, popular social networking platform or IT administrator. 

High Profile Examples

The consequences of social engineering are both staggering and devastating:

Target, 2013:

110 million customers' payment card information was stolen. Target's CEO and many of its IT security staff were fired over this breach.

Google and Facebook, 2013-2015: 

Over $100 million disappeared, routed by wire transfer to offshore bank accounts until the U.S. Department of Justice captured the perpetrator.

 

Apple iCloud, 2014: 

Cybercriminal Ryan Collins sent celebrities fake warnings of security breaches, collected frantically-entered login credentials from credulous recipients, then downloaded more than 500 private digital photographs.

Home Depot, 2014: 

100 million payment card numbers and other personal details were stolen and placed for sale on dark web marketplaces.

 

Crelan Bank, 2016: 

The Belgian bank lost $75 million as a result of the well-known “CEO Fraud” phishing attack.

Amazon Prime Day, 2017: 

Criminals tricked buyers into making purchases, then collected security credentials when the buyers tried to correct a "processing error" in the sale.

Common Social Engineering and Phishing Techniques

Understanding how and why social engineering works can help users and employees learn to spot attempts and protect their credentials more vigilantly. A good grasp on today’s most popular social engineering strategies may also help users spot evolving future techniques.

Spear Phishing

Spear phishing is a more targeted type of phishing. Rather than sending mass emails, the criminal sends highly-targeted, personalized emails to specific individuals or companies based on research ahead of time using publicly available information like social media.

CEO Impersonation or Business Email Compromise (BEC)

This growing threat is costing some companies millions of dollars in losses. Essentially, sophisticated criminals target specific employees like controllers and accountants (often when the CEO is away) to request an immediate wire transfer to what appears to be a trusted vendor or familiar account. 

Pretexting

The criminal engages the victim with a made-up story or scenario. Previously-acquired personal details like the target's social security number or date of birth might be used to increase trust and gain more information.

Diversion Theft

The criminal builds confidence with a courier or parcel carrier to divert them to an alternate delivery location.

Water-Holing

Like herding animals to a trusted water-hole, many consumers return to the same sites repeatedly. "Water-holing" involves identifying those sites and laying cybertraps for the user.

Baiting

Baiting involves dangling something of interest in front of the victim such as a digital content download or even a physical object, like a data stick labeled "Q1 Layoff Plan." Once an employee opens it out of curiosity, it could infect the system.

Quid Pro Quo

In this scheme, the cybercriminal comes in a trusted guise and offers something beneficial in exchange for sensitive information. A caller could pretend to be IT support, for example, and offer a quick fix or update if the target briefly disables security protocols or shares a password.

Tailgating

An extremely low-tech tactic is simply following authorized personnel through a locked door to gain access to private facilities. Many employees or visitors do not question people following them through secured doors, assuming they have a legitimate reason to be there.

Honeytrap

This method relies on a sexually attractive, possibly fictitious, character manipulating a user for confidential information or unauthorized access. 

Social Media Deception

A criminal accesses the profile of a friend or celebrity (or makes a lookalike profile) and tries to get the target to click on a link.

Content Injection 

A criminal might alter the content of a website, redirecting users to a phishing page.

Search Engine Phishing 

The phisher attempts to put low-cost products or services at the top of searches, collecting payment card details from the "purchase."

Website Forgery

The criminal builds a replica of a legitimate website, collecting confidential data from transactions the target attempts.

"Man-in-the-Middle"

The phisher inserts him or herself between the target and a real website, collecting details from a legitimate transaction.

Domain Spoofing

Common in CEO fraud, the criminal emails the target from what looks like a legitimate email address within the domain of the company the criminal is impersonating.

Link Manipulation

A reputable-looking link that redirects to a different site, exposing the computer to malware. This deception can usually be detected by hovering the cursor over the link before clicking, allowing the browser to identify where the link actually goes.

Trojan Horse

Malware prompts the user to perform an action that looks legitimate but allows unauthorized access through the local machine.

Vishing

Phishing over the phone, with bad actors calling employees under false pretenses in order to gain unauthorized access to your system or sensitive information.

Smishing 

Phishing by SMS (phone-based text messages) or other text messaging services.

Lock Picking

This type of breach to the physical security of companies is actually a very effective way of gaining access to your workstations, data centers, and more.

Arm Your Staff with Security Awareness Training

  • 45% of employees will plug in an unknown USB stick
  • 90% of all successful breaches began with "phishing" 

The odds are stacked against data security. Fortunately, security education can significantly reduce an organization's risk of becoming a victim to social engineering attacks. Train employees to better identify these attacks, understand how they work and the proper process for reporting them.

Options for social engineering and phishing security training are available for virtual and in-person training, for every size organization around the world. While the methods, vendors and information covered will vary, high-quality training programs will share the same basic elements. 

Effective Anti-Phishing Training Should:

  1. Focus on topics relevant to the trainees.
  2. Help employees make better security decisions.
  3. Work on modifying two or three key behaviors. Training on every phishing technique at once is information overload and likely to fail.

Working with the Truvantis® Team

Mandatory employee training on phishing is easy enough to implement. Making a lasting, measurable impact on your users is a different story. 

Our training begins on a kick-off call with your security team, so we’re aligned with your goals and focused where you need us most. Then, we begin testing your employees without them knowing what’s coming.

The Truvantis red team of cybersecurity experts will attempt to phish and manipulate your users, in the same way a criminal might, in order to show them real criminal strategies and just how susceptible they really are. During training periods, our social engineering team can be deployed to phish a company’s users as often as monthly, until we’re no longer successful in getting access to your data. 

After testing, we’ll meet with you to discuss our successes, failures, and to provide expert recommendations for the most relevant and effective training strategies. Then, we’ll help you to harden your system where it matters most with hands-on user training that’s among the best in the industry.