Posts

Social Engineering Serious Threat

What Is Social Engineering?

Social Engineering

Social engineering comes in many forms. The most commonly spoken about is phishing but it gets much more intricate than that. We know about the hackers that use their technical skills to access and infiltrate a hapless victim’s computer and steal sensitive data.

There are other types of cybercriminals, however, who use techniques to undermine their victim’s cyber defenses. They ‘re called social engineers and they exploit the greatest liability in any and every industry: human beings. They use social media, phone calls and emails to trick people into willingly giving them valuable or desired information.

You may have heard stories of people getting calls offering credit card deals or one-time promotions. They try to take their targets information by claiming to be a representative of this or that company and requiring you to give them credit card information. This is social engineering.

In this article, we’ll focus on the most common types of social engineering attacks used to target victims into divulging information.

Scareware

Scareware involves victims being flooded with false emails and threatening notifications. Users are made to believe their computers are infected with malware or viruses, which encourages them to download software that infects the user’s computer with malware and viruses. Other names for scareware include deception software, fraudware and deception software.

Some of you could have encountered scareware at some point. They come in the forms of banner ads or pop ups that warn you about having an infected computer. It offers to install the software for you and direct you to a malware-infected site where your computer becomes vulnerable.

It can even spread through spam email so be weary of the messages you open.

Worm Attacks

In the past worm attacks have exploited the philosophy behind scareware, aiming to attract user attention to a malicious link or file. Worms were used most in the late 1990’s and early 2000’s but it’s still important to be aware of how they were so successful.

In 2000, the “Iloveyou” worm was spread in email attachments that managed to infect tens of millions of windows computers throughout the US. It started in the Philippines and spread to the west via corporate email systems, causing an estimated 5.5-8.7 billion in damages.

Victims received an email inviting them to open a love letter. When they opened the file, the worm copied itself to all the contacts in victim’s address book. Notice, social engineering is about manipulating human emotion to gain advantage over someone and their information.

Malware links, as mentioned above, contain provocative words or graphics that compel you to open them, bypassing any anti-virus filters your mail could have.

Baiting

Baiting is what it sounds like, baiting the victim by appealing to greed or personal interests. This is particularly insidious because it often discourages the victim from reporting an attack. An unsuspecting user will read an email offering fake deals and shortcuts like free internet or other illegal benefits.

When these emails are opened, the trojan virus attached to the email or file corrupts the computer and encrypts the computer or spreads further through the entire system.

The victim will most likely be too embarrassed to disclose their reasons for opening the email in the first place, so it goes unreported.

A perfect example of this technique was when a trojan virus was sent to the corporate email addresses of employees in the form of a recruitment website. The criminals knew that the employees would be reluctant to tell their employers they were infected with a virus while looking for other jobs.

This type of attack isn’t limited to email, either. Cyber criminals have also used USBs infected with viruses also. The USBs are left lying around and all it takes is one person curious enough to plug it into their machine to ruin everything.

Pretexting

Pretexting is a social engineering technique that uses cleverly developed lies and deceptions to obtain information. In the case of pretexting, it’s usually done through the phone as opposed to online. The attacker will pose as an important figure, perhaps a CEO of an IT company, or a vender and use that as a pretext to gain desired information from the victim or victims.

This also requires the social engineer to develop a friendship with the victim through this impersonation. The impostor asks the target a series of questions as an authority figure, lulling the victim into a false sense of security.

The key in pretexting is manufacturing a scenario that the social engineer uses to engage their victim. A famous case dates to the 1970’s when Jerry N. Schneider used old invoices and manuals obtained by scavenging trash to start a profitable business. He got the invoices by looking through the Pacific Telephone and Telegraph dumpsters. He then used that information to acquire new telephone equipment posing as high-ranking member of the company and sold it back to PTT through his own company.

Phishing

Phishing is the most common type of social engineering scheme. The attacker creates a fake version of an existing website of a highly regarded or renowned company and sends the link to targets through email or social media. The reason it’s so low on the list is because it’s been discussed at length in other blogs.

Vishing

As we’ve discussed, social engineers don’t always use the internet to gather information. Vishing is the use of Interactive Voice Response IVR to trick their target. They attach the IVR to a toll free number and trick people into calling that number and enter their information.

Tailgating

Tailgating is when a person uses an authorized person to gain access to a restricted area where some form of identification is required to get through.

This doesn’t work with large companies with advanced security features that require bio-metric scanning, for example, to get into the building.

What tends to happen is, the social engineer impersonates a delivery driver and when an employee is entering the building the person passing as a driver will quickly ask the employee to  hold the door so that they might make it through. This occurs more often in smaller sized businesses that have comparatively lax security.

Quid Pro Quo

Quid pro quo attacks offer benefits in exchange for information. The most common type of quid pro quo attack involves impostors pretending to be IT service providers and make direct calls to as many members of a company as possible. These criminals offer their IT expertise to all their targets and ask the victim to disable their antivirus program to fix whatever issue present at the time.

 

Social Engineering Statistics

Preventing Social Engineering Attacks

Now that we’ve discussed the types of social engineering techniques, you might be wondering how to defend against these types of attacks. If you’ve made it this far then congratulations you’ve taken the first step, which is knowing about them.

With the emergence of smartphone technology, which puts powerful computers in the hands of so many people, information is very easy to come by. Unlike the days of Mr. Schneider, you don’t have to peruse through company dumpsters to access valuable data.

You, your company, employers or employees need to be more conscientious about what is posted online. Whether it be on a website, a social media page or via email.

To keep your devices and accounts safe, it’s important to implement strong passwords and two-factor authentication. Invest in IT, take the necessary measures to add anti-virus software firewalls and the like.

This is by no means a comprehensive overview of all types of social engineering, some are more detailed in nature and varied in scope. Tactics are changing with technology and cyber attacks are becoming more and more laser focused on specific targets. Instead of going for a large pool of potential targets, the social engineers and cyber criminals will go for one or two individuals. They gather such specific information that distinguishing a phishing scam from a legitimate email is getting harder and harder.

Getting help from an IT service provider you can trust might mitigate the risks of falling for any one of these tricks.

For more information on phishing and other social engineering tactics, visit our website or call us for more information.

 

 

Phishing Emails - Don't Get Hooked!

social engineering

Spear Phishing

What is spear phishing?

Spear phishing is an email scam targeting a specific individual, business or organizations. It’s like a standard phishing scam except the emails are personalized to target one group or person.

Cyber criminals use these types of attacks with the intention of accessing and selling confidential data to governments and private organizations.

The cyber criminals use individualized methods of social engineering to create a sense of legitimacy to the email. The objective of social engineering is to get anyone from a company or government agency to open a malicious link or visit a virus ridden website.

At that point the cyber criminals can steal the data they need in order to critically affect the target’s networks.

Spear Phishing Could Cost Millions

The city of Naples, Florida lost $700,000 in a spear phishing attack on Monday, August 5.

The money was sent to a fake bank account provided by an attacker posing as a Wright Construction Group representative contracted to work on an infrastructure project in downtown Naples, according to one of their news releases.

The city manager Charles Chapman said the cyber attack was an isolated incident and did not affect their data systems.

Other cities throughout Florida were also targeted in cyber attacks.

How Spear Phishing Works

Phishing and social engineering in general is increasingly becoming a popular method of hacking for cyber criminals, however spear phishing is particularly difficult to detect because they’re designed to appear legitimate and safe. It’s the same with counterfeit dollar bills. The more advanced the counterfeit is, the harder it is to recognize it as fraudulent or fake.
In a spear phishing attack, the hacker gets specific information about their victim to create a sense of trust and security. Like the cyber criminal in Naples who used the information concerning the contract between the city and Wright construction group to his or her advantage. They usually acquire this information through internet research, a previous phishing attempt, maybe a hacked account from within the organization and even social media.

Typical phishing attempts will ask you give some personal information. Sometimes hackers ask for a phone number, other times a credit card or bank account number. Spear phishing attempts follow a similar strategy only more specific. You might be manipulated to click on a link that downloads malware or led to a site that asks for a password or a social security number.

Whaling

There are other forms of spear phishing called “whaling”. Whaling involves targeting institutions posing as a company executive requesting an employee wire money to an account belonging to the hacker. The Naples attack is a modified version of whaling. Instead of posing as the CEO of Wright Construction Group targeting an employee, the cyber criminal posed as a representative of the company targeting one of its clients.

Like phishing, a successful whaling attempt involves coercing someone with a high profile or reputation. The intention can vary but it’s usually all about money. This could mean initiating a wire transfer as in the Naples case or installing malware that infects company servers and steals sensitive data.

Targets of whaling are executives, department heads, spokespeople. This means that they likely have information available to the public that other targets might not. Having importance within a company or an industry means that person is in the public eye. This might limit the pool of targets, but it also raises the reward.

Threats to Businesses

Because of what we’ve mentioned above, spear phishing is not only among the most common types of cyber-attacks, but probably the most dangerous. Most phishing attacks try to cast a wide net, hoping that a handful of email recipients unknowingly give them access to their business and data. All it takes is one person to click and the entire enterprise is at the mercy of a cyber criminal.

Phishing Email Statistics

The Naples example coupled with these statistics are indicative of how effective phishing scams are. It’s important to be aware of how volatile one of these attacks can be and prepare your business against them.

Red Flags of Phishing

The important thing is to avoid clicking on anything until you know what it is and who it’s from with certainty. If someone you know shares a link or a document with you and it’s out of the ordinary that’s a sign it may be malicious.

If the email has a strange address with too many numbers or letters, it’s probably a phishing scam. Another give-a-way is the vernacular contained in the email.

Here’s an example: Let’s say you live in the US and you receive an email from your boss who also lives in the US and was raised in the US. If the email says something like, “Hey, I need you to run some errands for me this afternoon. Send me your mobile.” Mobile is a phrase commonly used in the UK not in the US and could be an indicator of a fake email. A lot of the time cyber attacks will overlook these small but telling details.

This requires a bit of deduction on your part, but if you’re familiar with the person who allegedly sent the email, then it should use this as a way of catching any abnormalities in their word-usage. A little research goes a long way also. If you’re receiving an email from a company, look it up and message them. If things don’t check out, report it through your email provider like Google or Outlook.

When successfully  identifying an email as a phishing scam, alert anyone and everyone in your department. Raise awareness with as many people you can. This puts people in high alert and makes it less likely they fall for the same trick.

Protect Yourself

Phishing and spear phishing specifically might be difficult to spot, but that doesn’t mean you’re helpless against it.
Training employees and raising awareness is the first line of defense against phishing attacks. And with spear phishing becoming more selective, training should expand to clients, vendors and upper management.

Training

Just as we saw with the Naples attack, cyber-attacks are becoming more ingenious and varied. The city of Naples was a client of a construction company and rather than target the company, they targeted the vulnerable client. While employees might protect themselves from phishing attacks by implementing measures put in place by internal IT or a cloud provider, clients might not have these same advantages.

There needs to be a comprehensive training curriculum focused on educating as many people within an industry. Whether it’s clients of a financial firm or the firm itself, for example, there’s no telling who a hacker will target.

Mock tests

Simulating a phishing attack is a helpful tool to assess how employees behave under those circumstances. This would also help in gauging how aware your employees are of phishing attempts.
Spam filters: Once upon a time, spam was just annoying inconveniences that at worst lowered productivity. Now, spam is a useful tool for cyber attackers to target potential victims. Luckily, most spam filters work, and most companies have one.

Be aware of the kinds of information shared on social media. Useful details like birthdays and favorite activities can be found easily in today’s social media culture. Upcoming events can also be used to make spear phishing emails seem more legitimate. Be weary during a big conference or networking event of any strange requests in your inbox.

The Cloud

Cloud service providers often provide the protection and security to prevent a successful spear phishing attack. Nerds Support, for example, advises all its partners to send in any suspicious emails they receive to be analyzed and verified as safe to open. This is a simple technique that comes a long way in safeguarding against these kinds of attacks.
Going back to two factor authentication for a moment,

If an organization moves to the cloud, phishing risks must also be considered. If your company is using a public cloud, you’re accessing any and all relevant applications through the internet. Phishing is most successful when the apps are exposed to the internet, which is standard for a public cloud.

Private cloud hosted apps, like Nerd Support’s have the added security of a VPN (Virtual Private Network). VPN’s simply allow you to establish a secure connection with another network over the internet. However, hacker can always try and find the URL of a cloud service. That allows them to execute targeted phishing attacks on employees of the company.

Two-Factor Authentication

One of the best ways to fight against phishing attacks is a two-factor authentication. This is when you log in and the app or site requires you to log in through another device or apply another password. People see this usually with social media. Instagram and Facebook sometimes ask you to input a code sent to your phone or email. If a user inside a company is compromised in a phishing attack, the attacker won’t be able to access the organization’s IT if the second factor is constantly changing.

Two-factor authentication isn’t typical of most cloud services. Nerds Support offers this feature when you adopt its cloud system but it’s one of few exceptions. Dropbox is another cloud-based h

osting service that adopted a two-factor authentication.

We’re here to help

At the end of the day, its about adopting culture of verification and caution. Nothing is sacred to cyber attackers. They will exploit personal information that appeals to your emotions or they will use a recent tragedy in the news to increase the chances that you “donate” to their cause.

Calling and investigating the sender before replying, double checking with colleagues, making sure that no one is isolated or left out of the loop are all things that make a huge difference.

Hopefully you’ve learned enough to recognize a potential spear phishing attempt so that Naples story doesn’t turn into your own.

To learn more about cyber attacks, phishing and social engineering visit the Nerds Support website or feel free to call and we’ll be happy to answer any questions. Also, check out our video on tips against phishing right here.

If you need any help making your company  safer, feel free to fill out the form here or call us at 305-551-2009.

A business owner trying to secure their business

Why Cloud Security is Better for Your Business

In May 2017, there was a massive, worldwide ransomware attack known as WannaCry that targeted computers running on Microsoft Windows operating system. Organizations that had not installed the Microsoft security updates were affected by the attack.

 If you’re reading this thinking, “That’ll never happen to me or my business,” you’re not alone, but you’re likely to be wrong. Malware attacks are becoming more frequent.   85% of all attachments emailed daily are harmful according to Cyber Defense Magazine. The same magazine states the expected cost of online crime is $6 trillion by 2021. Moving your IT to the cloud may seem laborious and intimidating, but it’s actually the best thing you could do in today’s era of tech-dependence. Your business has the most chances at growth and security with the cloud.

Here are a few reasons why:

1.You are not an IT security expert

You’re running a business; there’s no way you should be expected to keep up with all the new IT security threats that are coming out on a seemingly daily basis. Cloud services providers, like Nerds Support, however, have both the resources and expertise necessary to keep up with new threats. They’re exposed to a huge range of vulnerabilities and threats because they protect businesses daily.

Nerds Support works on all IT related matters exclusively. Giving you periodic updates and staying vigilant of any discrepancies or anomalies within your system. This means they can spot systemic issues that may affect your business long before you can.

2. You can’t stay focused on IT Security around the clock

 To ensure that your business is secure, you need to monitor and manage your IT security at all times. This requires important resources and a budget. Nerds Support’s team monitors, manages and responds 24/7, ready and willing to protect your business from criminal hackers and toxic viruses.

Your data stays encrypted when you transition to a cloud-based infrastructure. It’s how we keep your information safe in transit and storage so that even if it is somehow accessed or acquired by some malicious third party, it’s unreadable. With the cloud you’re always protected by advanced levels of security.

3. You probably don’t have a “Business Continuity Plan

Protecting your data from a cyber-attack is just one way the cloud can be of great value to a business owner. However, another frequent issue that you have to be aware of is network downtime. If your IT is on-premises, the resilience of your network is only as good as the robustness of your server. If this is compromised, damaged or destroyed, your system goes down. If you have on-site infrastructure, the fortitude of your network is highly reliant on your server, and, therefore, vulnerable. If your server is damaged destroyed or compromised in any way, your system will go down.

Cloud service providers, like Nerds Support, don’t rely on one server alone. They have a host of back-up systems both on and off-site, all protected by the most robust network and security available. If a server goes down it gets switched to another server and your business can continue uninterrupted. This allows you the flexibility to do something called ‘virtualize’ your IT infrastructure in the cloud. You can generate multiple copies of your applications, files and even desktops, storing the original in a separate and secure location.

Learn more about the cloud here

Download our FREE E-Book to grow your business with IT Services

Get Your Copy Today!
  • We respect your privacy. We'll NEVER sell, rent or share your email address.

 

A hacker trying to hack Nerds Support's website

Five Common Social Engineering Tactics

There is no denying that the internet has become an amazing extension of our world. However, with such new advances that have taken place recently, people can now do more good, or bad, than ever before. Unfortunately, there are people who have chosen to do harm and they are quickly learning how to take over companies through using the internet. These Social Hackers are different from your average hacker. While average hackers tend to take over company information through malware, these hackers are intent on using their charm and investigation skills in order to get company information from employees. These techniques are all part of a bigger company attack that is known as social engineering.

Social engineering is the practice of using company information on the internet and using it to manipulate employees to provide more company information that can be used to fraudulent purposes. In this blog, our Business Technology Solutions team will talk about the five most common practices that social engineers use.

Phishing

The idea here is to obtain information by trying to seem legitimate and creating fake sites that are clones of legitimate sites to retrieve passwords and other personal information. The social hackers use these methods for emails and social media as well. Some social engineers have multiple Facebook and LinkedIn accounts, all of which claim different identities. With these multiple identities, social engineers look through company and employee profiles in order to learn more information about you. They take the information that they know about you and use it to manipulate you into trusting them.

Pretexting

This system works by creating a sense of trust between the victim and the attacker in order to gain access to valuable company information. Social engineering attacks usually start over the phone, after the social engineer usually has found your social media and learned more about you. The social engineer begins to interact with the people on the front lines (such as the receptionist or the sales team). The social engineer uses the information they found online to their advantage. As they talk to the employee, they gain the employee’s trust so they can later use it to get to company information.

Baiting

Baiting is a technique that tricks people into giving company information. The most common way that a social engineer can do this is by creating an email that mirrors a typical company email and asking for something valuable, such as credit card information or a wire transfer. They can also pose as someone from a different company and use regular email phishing techniques to give your computer a virus. With this method, they can access your company information faster.

Quid Pro Quo

This social engineering technique is all about creating a sense that both you and the person contracting you will benefit from your interaction. This social engineering attack allows the hacker to hide under the guise of a company that they could have very easily made up. The social hacker could use their disguise either to ask you for company information directly, or to go inside the building.

Tailgating

Tailgating is the practice of following someone into a protected facility. The social hackers do this so that they may enter a protected facility without needing to show any form of identification. Someone can have more chances of tailgating if they start a conversation with a company employee while they are entering the building. The best way to avoid tailgating altogether is to make sure that company security verifies the identity of everyone who walks into the company facility, with no exceptions.

Protect Your Company With Business IT Support in Miami

The best way to protect your company from social engineers is to educate your employees about keeping company information safe. However, the best way to keep your company safe is to hire a knowledgeable & experienced IT Support team, like Nerds Support. Our IT Support Miami team has made strides in helping companies across South Florida stay secure. If you need any help making your company  safer, feel free to fill out the form here or call us at 305-551-2009.

A hacker not being able to penetrate Nerds Support's servers

What is Social Engineering and why Miami Hackers Depend on It?

Are you trying to protect your Miami business from any data leaks or other potential issues? Then the best thing you can do is to understand what social engineering is and how hackers can use it to manipulate your business. Among others, this trick is used successfully by thousands of hackers all over the world. If your company security is weak, you may be very likely to fall victim to an inside cyberattack. So, let’s find out what is social engineering and how business IT solutions can help you deal with it!

What is Social Engineering?

Social engineering is an art designed to manipulate people into giving up confidential information. Most of the time, social engineering is performed by a rogue employee. These employees are hackers that try to get access to personal accounts, bank accounts, passwords, and so on. These hackers can also secretly install malicious software with the idea of acquiring all this information without anyone’s consent.
Obviously, you want to deal with this type of problem as fast as you can. What you can do is assess the situation, identify any malware or unwanted software installed on your company computers and so on. And, of course, you want to avoid disclosing any important information to anyone, regardless of who they are or who they say they are! In the meantime, you can also rely on IT Support Services to keep your clients happy while you deal with the attacker!

Verify

One of the best methods to deal with such a problem is to see whether the people you hired are who they say they are. You will note that some con artists end up creating fake IDs to get hired into a company like yours and steal data. That’s why it can be a very good idea to verify the identity and previous history of your hires. That will make the process easier and less problematic as well! Or you can opt for the best Business IT Solutions to deal with such issues!

Visitors

Your company is going to receive visitors from time to time. If you want to avoid social engineering, you need to integrate some security policies that will prevent them from accessing relevant data. On top of that, it’s important to research visitors and verify their credentials, just to be safe. You should listen to them very carefully. While there, don’t leave them alone. That’s definitely something you want to avoid.

Rouge Employees

What are rogue employees? These are employees that are set to undermine the organization which hired them in the first place. These rogue employees will either fail to comply with business policies and rules, or they will break the rules and share company secrets with third parties to get a profit! You do need proper IT Services Miami to eliminate any type of risks like this, and the results can be more than impressive in the end!

Report suspicious activity in Miami Businesses

If you see any suspicious activity, it’s crucial to report that right away. Tell your boss or any authority in the company. Even if they don’t believe you at first (you should have evidence), this will open up an investigation at the very least.

Conclusion

Nerds Support is here to provide you with a stellar way of combating social engineering. We have the private servers and tight security measures you need to protect company data, thus offering you the best IT Support Miami services on the market. You get security at the doors of the data center; everyone needs ID cards to access your data and visitors need credentials and previous approval to get in. Nerd Support offers high-quality business IT solutions and security measures that you can rely on. Just get in touch with our team, and you will have no problem eliminating any social engineering attempts!