What is Social Engineering and Why Should I Care?

Hacker silhouette on a red background with social engineering terms interconnected

What is Social Engineering?

Have you ever heard the term Social Engineering and thought to yourself that they did not have that as a degree choice when you were in college?  You may find it in today’s university curriculum, but it would be offered as a course in an information security class, versus an engineering class.  In this post we examine what social engineering is.  I also discuss how it is more and more frequently used by bad actors to commit cyber fraud. 

The “art” behind Social Engineering? 

Social Engineering is more of an art than a science.  It is the ability for a hacker to manipulate, influence or somehow deceive you and those connected to you.  The hacker does this to gain control over your computer system and ultimately your data.  The hacker may use the phone, email, snail mail, direct contact or a combination of all these methods to gain access to your data. 

Three prevalent examples of social engineering tactics are phishing, spear phishing, and CEO Fraud.  These are the methods that are used by hackers to gain additional information or socially engineer their way closer to your data to ultimately cause you or the company your work for harm.  In most cases this is financial harm, which cyber insurance can help mitigate the impact of.  Unfortunately, the reputational damage to your company takes time to repair.  In some cases, the harm is so great, that the company is forced to go out of business. 

Phishing?  Isn’t it spelled fishing? 

No, this is not the fishing you do along a country pond or lake or with a group of friends on a deep-sea fishing trip.  Phishing is one of the methods that hackers use to acquire sensitive information.  This information they are after is typically usernames, passwords, financial information such as credit card or bank account information.  Security training firm KnowBe4 calls phishing a form of criminally fraudulent social engineering. 

There are many ways the hackers come across this information.  In a previous post I discussed one increasing popular way.  The hacker leverages data that is found on the dark web.  A lot of that data comes from data breaches and the fact that in many cases, people use the same username and password on many of the web sites they use.   

Ask yourself – is your password is the same for your bank account?  What about your 401k account? Your insurance policy or savings account?  If the answer is yes – go change them now and make them different and complex.  Better yet, if your financial institution offers it, utilize multi-factor authentication to further protect yourself. 

Targeted Phishing Campaigns 

When the hacker is looking to gain additional information, they typically turn to spear phishing attacks.  These attacks proport to be from a trusted source and when combined with other socially engineered data, can often appear to be quite legitimate.  The bad actors know that we have been trained to spot grammar related issues, so the email attacks are usually well written very difficult to discern whether the email is a spear phishing campaign or is legitimate. 

Even if you click on a link in one of these emails and then learn that the email was a spear phishing attempt the damage may already have been done.  In many cases a keylogger or some other nefarious software may have been placed on your computer to capture your keyboard data and send it back to the hacker.  These programs are becoming harder to track with traditional anti-virus solutions.  A combination of more advanced solutions and security awareness training is needed to mitigate this attack vector. 

The C-Suite is under cyber-attack 

According to the United States FBI Internet Crime Complaint Center (IC3), as of 2019 CEO Fraud is now a $26 billion scam.  CEO Fraud is often referred to as business email compromise or BEC for short.  These scams involve the cybercriminals that attempt to spoof various company email accounts and try and impersonate executives.  How are they able to pull of this impersonation?  You guessed it by leveraging social engineering tactics to gain enough credible information to pull off the attack.   

These attacks usually involve sending an email to employees in the Accounting, Financial, or HR department.  Common issues are unauthorized wire transfers or the release of sensitive employee payroll or tax information.  The unsuspecting employee is able to rationalize the legitimacy of the mail and take the requested action, often without verifying the legitimacy of the email until it is too late. 

Examples of CEO Fraud 

Mattel 

Several examples include Mattel Corporation, the US based toy maker, who in 2016 learned that an employee wired a $3 million dollar payment to a manufacturer in China only to find out later that the CEO never sent the email that instructed the employee to do so.  Mattel was able to recover the money but not without a great deal of time and expense to do so. 

Scoular Corporation 

Scoular, an Omaha, Nebraska based commodities trading firm lost just over $17m to a similar scam in June of 2014.  The controller of the 124-year old US grain-trading and storage company received an email from the CEO instructing him to wire the funds to close a very secretive deal in China.  The email even stated that the individual would be shown the CEO’s appreciation “very shortly”, but swift action was required. 

Once the FBI tracked the money down, they discovered it was wired to an account based in China.  The account was subsequently closed and wired somewhere else.  The investigation also led the FBI to discover the fake email originated from Germany and the domain was hosted on a server in Russia.  This chain highlights the difficultly of ultimately tracking down the source and global law enforcement agencies being successful in recovering any of the stolen funds. 

So, What Do I do? 

The purpose of this post is to highlight that the methods and approaches that cybercriminals use have been going on for some time, but they are getting increasingly more complex and polished in their approach.  Over the last several years many of these attacks have originated outside of the United States which makes tracking down and recovering any stolen funds very difficult.  Furthermore, criminal prosecution is even more difficult. 

Prevention is the first step 

We spend a great deal of time working with our clients explain to them the various cyber security risks that are present and how they can best go about mitigating those risks.  We believe that the mitigation plan is a combination of both tools and technology to protect the environment, but an even bigger component is on-going security awareness training.  Since the attack vectors are continually changing and maturing, ongoing security awareness training is critical to ensuring that the success rate of such attacks is reduced.  When it comes to social engineering, it is not usually a technology issue but one that stems from human behavior. 

Keeping abreast of how cybercriminals work and how they exploit personal information is an important habit to get it to.  Furthermore, if you are in a role where you have access to personal information of employees or are in an accounting or finance role it is very important to keep your cyber hygiene habits polished and fresh.  Attackers go for the low hanging fruit, we humans, so we must stay vigilant and cyber aware.