This is the seventh and final episode in our series on cyber attacks. We have reviewed the methods most commonly used by criminals to trick information system users at work and at home.
The only one left to cover is social engineering, a method that seeks to win our trust in order to bypass security systems.
Most attacks begin with social engineering, as criminals try to make their pitch or email sufficiently plausible to fool victims into divulging the information they want. These methods are not new. The first recorded examples date back to around 1789, when Eugene François Vidocq, then head of Paris’s security forces, described this type of fraud, dubbing it the “Letters from Jerusalem” scam.
A typical social engineering attack comprises the following stages:
- Phase one is designed to lower the victim’s guard. The criminal might pose as a superior, someone from the company, a family member, friend, supplier or client. In recent examples, criminals have not applied pressure at this stage, asking for nothing at first.
- Phase two takes on a more urgent tone to unsettle the target. Reference is made back to phase one to ensure a reply, encourage prompt action and create the sense of a logical connection. (“Right – I got an email about that last week.”)
- Phase three provides a diversion/conclusion to distract the victim and supply reassurance, delaying discovery of the scam and ensuring that the victim does not sound the alert. The idea is to win a few hours. This may be a thank-you message saying that everything is in order or a message simply redirecting the user to the actual website of the organisation whose identity was stolen.
Social engineering can use any channel of communication, from paper to email, phone to instant messaging. Recent awareness-raising campaigns have begun to bear fruit, and fewer people are falling for some of the more obvious attempts to trick us out of money or our professional or personal data.
But criminals are adapting too, and their methods are gradually becoming more subtle and credible. Watch out for:
- a phone call from “IT support” to help you optimise your computer, troubleshoot, remove a virus, check a licence, etc.
- a phone call from “your bank” to review your bank situation.
- a phone call from a “supplier” to inform you that it is changing bank details for bill payment. The new details are for the criminal’s account, which will often be abroad. A fake bill arrives a few days later and refers to the previous message in order to put the accountant off-guard.
- a phone call from a company “colleague” asking for a password to solve an urgent problem.
In the end, all these techniques are based on putting victims off their guard so that they can persuaded to bypass security procedures. Be alert if:
- you are contacted by someone you do not usually deal with.
- someone you usually deal with uses an unusual channel, particularly if you receive an email from an outside system.
- you are told that the situation is urgent or the stakes are high.
Do not hesitate to:
- contact the company that supposedly issued the demand through standard channels and have someone you know confirm the initial request.
- ask your superior to look at any unusual request. If he or she is not available, talk to a colleague.
Last of all, always comply with the security and control procedures in place.