Knowledge Base
Getting Started
This will help you along your journey towards IT Success
Social Engineering Categories
Social engineering is an attack that exploits human nature by convincing someone to disclose information or perform an activity. There are two forms of social engineering. "Active and Passive"
​
Shoulder Surfing - Shoulder surfing involves looking over the shoulder of someone working on a computer to gain information.
Eavesdropping - Eavesdropping refers to an unauthorized person listening to employees or other authorized personnel as they discuss sensitive topics.
Dumpster diving - Dumpster diving is the process of looking in the trash for sensitive information that has not been properly disposed of.
Tailgating and piggybacking - Piggybacking and tailgating refer to an attacker entering a secured building by following an authorized person through a secure door without providing identification. Piggybacking usually implies consent from the authorized person. Tailgating implies no consent from the authorized person.
Phishing - A phishing scam is an email pretending to be from a trusted person or organization, asking to verify personal information or send money. In a phishing attack:
-
A fraudulent message (that appears to be legitimate) is sent to a target.
-
The message requests that the target visit a fraudulent website (which also appears to be legitimate). Graphics, links, and websites look almost identical to the legitimate requests and websites they are trying to represent.
-
The fraudulent website requests that the target provide sensitive information such as the account number and password.
​​
Common phishing scams include the following features.
-
A Rock Phish kit is a fake website that imitates a real website (such as banks, PayPal ® , eBay ® , and Amazon ®). Phishing emails direct you to the fake website to enter account information. A single server can host multiple fake sites using multiple registered DNS names. These sites can be set up and taken down rapidly to avoid detection.
-
A Nigerian scam, also known as a 419 scam, involves emails that request a small amount of money to help transfer funds from a foreign country. In return, the target is to receive a reward for a much larger amount of money that will be sent at a later date.
-
In spear phishing, an attacker gathers information about individual targets, such as identifying each target's online bank. The attacker then sends phishing emails that appear to be from the target's bank.
-
Whaling is another form of phishing that targets senior executives and high-profile individuals.
-
Vishing is similar to phishing. Instead of an email, the attacker uses a phone call to gain sensitive information. The term is a combination of voice and phishing.
​​
To protect against phishing:
-
Check the link destination within emails to verify that the link is the correct URL, not a spoofed one.
-
Do not click links in emails. Instead, type the valid URL into the browser.
-
Verify that HTTPS is used on e-commerce sites. HTTPS requires a certificate (verified by a trusted CA) that matches the server name in the URL. You can also look for the lock icon to verify that HTTPS is used.
Implement phishing protections within browsers.
​
Pretexting - Pretexting is the use of a fictitious scenario to persuade someone to perform an action or give information for which the person is not authorized. Pretexting usually requires the attacker to perform research to create a believable scenario.
Caller ID spoofing - Caller ID spoofing causes the telephone network to display a number on the recipient's caller ID display that implies that a call is coming from a legitimate source.
Social Engineering Attack Methods
-
Persuasive social engineering entails an attacker convincing a target to disclose restricted information or permit access.
-
Reciprocity social engineering entails an attacker giving something of lesser or equal value in return for the target permitting access or disclosing information.
-
Social validation entails an attacker using peer pressure to coerce a target to bend the rules or disclose information.
-
Commitment to social engineering entails convincing a target to buy into an overall idea, then demanding compliance or including specifics that were not presented up front.
-
Scarcity social engineering entails an attacker presenting an item as a limited-time or scarce quantity offer to increase sales.
-
Friendship social engineering entails an attacker using the premise of a friendship as a reason the target should take unauthorized actions that benefit the attacker.
-
Authority social engineering entails an attacker either lying about having authority or high status in a company to force targets to perform actions or give information that exceeds the target's authorization level.
Social Engineering Prevention
The most effective countermeasure for social engineering is employee awareness training. Train employees on how to recognize social engineering schemes and how to respond appropriately. There are several countermeasures you should take.
-
Train employees to
-
Protect information by
-
Securely disposing of sensitive documents, disks, and devices.
-
Protecting sensitive information on a computer from prying eyes.
-
Protecting sensitive information from prying ears.
-
-
Implement online security by
-
Verifying the validity of websites.
-
Verifying that requests for privileged information are authorized.
-
Using bookmarked links instead of links in emails to go to websites.
-
Double-checking email information or instructions with a reputable third-party antivirus software vendor before implementing recommendations.
-
Never opening a suspicious email attachment.
-
-
Reporting Social Engineering and Phishing attempts
Let all caller know that if they recieve any suspicious emails to not open them and do not click any links or input iny information including account information or payment information and forward the email to abuse@usfamily.net