At a glance
So what is social engineering? Your systems are only as secure as your authorized users; social engineering is the exploitation of the psychological weaknesses of a user to gain information and access to facilities and systems as part of a malicious attack.
WCS is an expert at the testing of the “human factors” of cybersecurity; we evaluate your employee security awareness and technical protection mechanisms by simulating phishing attacks, checking configurations, and retraining employees if necessary.
WCS can also offer 24-hour protection for companies from phishing, pharming, and other impersonation-based attacks. The features of our services include:
- Fast detection and takedown of phishing websites and chat messages.
- Takedown of fraudulent Google ads and fake social media accounts.
- Reconnaissance activities to research the target company.
- Email phishing testing.
- Vishing (voice phishing) other methods, if needed.
According to the Verizon Data Breach Investigation Report (DBIR, 2017), 43% of the documented breaches involved social engineering attacks. That makes up almost half of the attacks, and it is important to remember that the report only includes reported/documented breaches. Notably, 66% of malware came from malicious email attachments.
Social engineering combines a broad range of malicious techniques, common types of social engineering attacks include:
- Targeted Phishing.
- Watering Holes
Phishing attacks are where a user receives a message by electronic means, such as email, social media, instant messaging, or SMS text. The purpose of the message is to trick the user into disclosing information, clicking a link to a malicious website or opening a file containing malicious code. Phishing attacks are most effective when the user believes the message comes from a trusted source such as a client, a colleague, or a friend.
The key to recognizing a potential phishing message is to look for a call to action, wording designed to rush the receiver into taking action as a result of a false sense of urgency.
While anti-malware products are good at catching malicious content, user awareness and training are needed to stop attacks in their tracks.
There are variants of phishing attacks that are specifically targeted at individuals. Known as whaling and spear phishing, the attackers know what information they are after and which individuals have it. This targeted approach allows the phishing messages to be more intricately crafted to achieve a better chance of a successful attack.
A watering hole attack involves attacking a legitimate website to place malicious code onto that website so that visitors to the site unwittingly download the code and open themselves up to a targeted attack. A common technique is to compromise adverts that appear on reputable websites and use these adverts as the attack vector. The theory being that the advertising distribution companies will most likely be easier to attack than the companies who display their adverts.
The success of watering hole attacks is that the compromised sites are unaware that they are being used to deliver the malicious code while the visitors to the websites believe they are a trusted site.
Pretexting attacks rely on users revealing information to someone that they consider they can trust but, in fact, is a malicious attacker using a fake but believable identity. An example is a payroll clerk receiving instructions from a senior executive to transfer funds. Pretexting attacks are most successful when the attacker assumes the identity of a real-life person who would legitimately request such actions, but who the user is not able to check if the request is genuine.
Baiting attacks operate by offering the user something that the user needs or wants, be that a gift, a software upgrade, or valuable information. The bait will include a link to a malicious website or a file containing malicious code.
Baiting attacks can be targeted, such as an email to a user with a link to a website that purports to be a voucher for a free product. Alternatively, it can be opportunistic such as a USB drive labeled “Secret – Company Payroll” that is left in a location where it will be found.