Catch me if you can – Phishing for Phools
The title refers to the story of Frank Abagnale who before his 19th birthday, successfully forged millions of dollars’ worth of checks through Social engineering exploits while posing as a Pan Am pilot, a doctor, and legal prosecutor as a seasoned and dedicated FBI agent pursues him.
Once again, we are now seeing old fraud exploits perpetrated through new media channels such as email and the internet in general.
Social engineering is the art of psychologically manipulating people into yielding confidential information or conducting specific actions.
Agilient provides Phishing exercises to organisation. This involves Agilient running a test Phishing campaign in your organisation to see who is likely to take the bait. This then enables Agilient to determine the vulnerability of organisations and suggest targeted and customised Social Engineering educational activities.
There are many different types of social engineering; the most common ones are:
- Baiting – Baiting is when a hacker leaves (or gives) an infected device in a place where it can be retrieved by the victim. Once the victim plugs the device in their personal computer, they let the intruder in.
- Phishing – Phishing occurs when a hacker sends a victim a malicious link that has been sugarcoated to look like a legitimate original one.
- Scareware – Using scareware, the hacker tricks the user into believing that their computer has been infected by a malware. They then offer the victim a solution that can remedy their bogus problem; in reality, however, as soon as the user installs the proposed remedy application, they fall prey to the hacker’s social engineering skills.
- Email from a friend, boss or colleague. – If a hacker manages to hack or socially engineer one person’s email password they have access to that person’s contact list–and because most people use one password everywhere, they probably have access to that person’s social networking contacts as well. Once the hacker has that email account under their control, they send emails to all the person’s contacts or leave messages on all their friend’s social pages, and possibly on the pages of the person’s friend’s friends.
- Response to a question you never asked – Hackers may pretend to be responding to your ’request for help’ from a company while also offering more help. They pick companies that millions of people use like a software company or bank. If you don’t use the product or service, you will ignore the email, phone call, or message, but if you do happen to use the service, there is a good chance you will respond because you probably do want help with a problem.
- Creating distrust – Some social engineering, is all about creating distrust, or starting conflicts; these are often carried out by people you know and who are angry with you, but it is also done by nasty people just trying to wreak havoc, people who want to first create distrust in your mind about others so they can then step in as a hero and gain your trust, or by extortionists who want to manipulate information and then threaten you with disclosure. This form of social engineering often begins by gaining access to an email account or other communication account on an IM client, social network, chat, forum, etc. They accomplish this either by hacking, social engineering, or simply guessing weak passwords.
As mentioned earlier, social engineering can only be mitigated by offering people training and awareness on the matter.
Agilient provides customised and comprehensive training on help staff to become socially aware and assist the organisation in preventing social engineering.
Want to learn more? The Agilient Security Awareness Program brings our cybersecurity education to the workplace.
Our highly interactive program can help you decrease phishing attacks and addresses the security and compliance needs of health, finance, retail, manufacturing, logistics and consulting corporations, government departments and agencies, state and local governments and educational institutions.
Some highlights include:
- Interactive exercises
- Known exploits and case studies
- Conducting a cybersecurity risk assessment
- Preventative measures
- Monitoring for cybersecurity attacks
- Reporting and dealing with cybersecurity attacks
For further information on social engineering and services we provide to help mitigate all types of malicious activity do not hesitate to contact Agilient.
The Agilient Team