Building Awareness Of Social Engineering Threats

Posted October 20, 2020

It’s mid-day, you’re working diligently on your laptop enjoying your company’s new work-from-anywhere policy and your phone rings. You answer and the caller responds, “Hey, this is Rick from IT. It looks like you’re having some issues today?”

It could be that you did open a ticket with your IT group; or, maybe you didn’t and you assume Rick identified an issue you don’t know about through monitoring software. You could be one of many people in your organization Rick has called this morning using the same opening line as he searches for a victim. Rick is a cybercriminal targeting your company in his latest ransomware attack. All he needs is one trusting employee to follow his directions while believing he is part of the IT group and his ransomware will be installed. Rick will pretend to help fix an issue, install an update, run a test or any number of creative storylines to gain the network access needed for his ransomware. The ransomware will encrypt your company’s data. Rick will demand a large payment in exchange for freeing the data. He will likely succeed in getting paid. This is his job. It’s how he earns a living. And the majority of businesses find it quicker and easier to pay the attacker than try to recover on their own. Rick’s business is a growing success — for him.

Rick used psychological manipulation to release his malware on your corporate network. He didn’t need to breach a firewall and access the network from the outside. He leveraged trust through social engineering to have his virus welcomed into your network using your user permissions.

Social engineering is one of the largest attack threats to computer systems networks today. It is often far easier for an attacker to rely on simple human nature than attempt to gain access through a well-secured network. The attacks are very effective because human nature has us wanting to return a favor, being easily swayed by charisma, obeying authority or simply following the crowd. All of these can lead to the seemingly innocent divulging of personal information or granting of illicit access to a computer system. The attempts are prolific because they work. A 2003 report found that 90% of office workers gave up their passwords in exchange for a cheap pen. Kevin Mitnick, one of the most famous social engineering hackers, gained access to dozens of computer networks without ever using any attack software. His modus operandi was consistently to leverage offline tactics such as dumpster diving, pretexting and quid pro quo techniques just as in the earlier example with Rick.

Even if it would take more than a cheap pen for your employees to divulge information, how about a $1mm bribe for installing the malware themselves? This was recently the case at Tesla’s Gigafactory in Nevada. Fortunately for Tesla, the employee reported the attack instead of taking the bribe.

Today’s threat detection and response systems offer significant protection against such attacks. But as shown through a recent social engineering attack on Twitter, it’s difficult to protect against unauthorized access to admin accounts. In the Twitter attack, the hacker generated over $100,000 in a matter of hours.

Protecting your network from social engineering attacks can be difficult. Implementing threat detection and response to protect against zero-day threats and advanced malware is the first step. But user training such as how to spot phishing emails, not giving out personal information, and not clicking email attachments from unknown sources are great additions to a security mindset. We also believe that sharing the stories of recent hacks such as the Twitter, Garmin, and Tesla attacks as they happen can help to create a culture of security awareness. Ransomware is a real and growing threat. And its primary mode of access to networks is through social engineering. Spreading awareness can be one of your greatest security measures.

Kyle Vinar

Kyle Vinar is Partner / President of Verus Corporation. He oversees all business operations and coaches Verus teams to continually improve on their solutions from client experience to product development and overall solution implementation. He works with all Verus resources to increase efficiencies and excellence in every aspect of their organizational roles. Kyle believes that people are the last real competitive edge that a company can have and constructing a rich culture is a vital step in running a world-class organization. Therefore he strives to create a culture within Verus that allows everyone to show up authentically and grow both personally and professionally, which in turn allows Verus Corp team members to provide clients with top-of-the-line service. Kyle helps balance strategy, capacity, and culture in such a way that has allowed Verus Corp to achieve exponential growth since he joined the company in 2013. One of Kyle’s greatest professional achievements has been in helping lay the foundation upon which Verus Corporation could be named the 2nd Best Place to Work by the Minneapolis/St. Paul Business Journal. Kyle holds a Bachelor of Science in Marketing from St. Cloud State University. He lives in Champlin with his wife and 3 children. He has enjoyed volunteering as a soccer coach for over 6 years and was the former Director of Coaching for Rebels Soccer Club. If Kyle isn’t on the sidelines of one of his children’s soccer games or in the audience of his eldest’s musicals, he can often be found cruising scenic routes on his Harley, in a deer stand, or on the golf course.