Social engineering tricks are constantly used by threat actors to gain access to an individual's account or even an entire organization's system.
Sometimes they are easily spotted by the trained security professional, but even the best of us can fall for a sophisticated scheme.
SecureWorld recently wrapped up one of our Remote Sessions webcasts discussing the issue of social engineering, including best practices and how to avoid being fooled by a cybercriminal.
The conversation was led by three panelists with real-world experience when it comes to social engineering and cybersecurity.
Let's look at some common tricks you should educate your end-users about to help protect them—and the organization.
Examples of social engineering tricks
The security professionals leading the broadcast were Jordan Fischer, Global Privacy Team Lead at Beckage Law; Kenrick Bagnall, Detective Constable with the Coordinated Cyber Centre (C3) of the Toronto Police; and Erich Kron, Security Awareness Advocate at KnowBe4.
Here is an example of social engineering from Jordan Fischer of Beckage:
"Many of you may have received phone calls from the IRS recently. And little did you know that the IRS will call you to tell you that somebody else has filed your taxes or you haven't paid your taxes yet, or you're about to be taken in by the police to pay your taxes. They know that the tax deadline is coming up. So for all of you that don't know it's been you know, they pushed it back to me this year in the United States.
And they are very good at making it sound like they are in fact the government that they know everything about your tax situation. And that you need to give them your social security number, your name, and they can take care of all that they're gonna make all your tax worries go away.
And so that's one social engineering theme that we constantly see be reiterated every year, it gets more and more sophisticated. We see it in phone calls. So you get a phone call with a message that's left on your answering machine. You get letters in the mail that claimed that you are delinquent in your taxes. And they're really trying to use the fact that we're all focused on taxes, we know that they're coming up that there's a deadline, and that we need to pay those taxes. So that's sort of the scheme that I've been seeing that I think is the most relevant right now."
And another one from Kenrick Bagnall of the Toronto Police:
"This was a case of social engineering that was perpetrated against the C-suite level executive, who happened to be a dog lover, and his social media profiles, and his digital footprint indicated this. So, the adversaries basically crafted a specific email, that was an invitation from a very prestigious Kennel Club, inviting him to a dog show.
It looked 100% legitimate. It referenced information that was on his social media profiles, it referenced events that he had attended in the past. And there was a registration code for a discount and all of these other bonuses, and all it took was a simple click, his credentials became compromised.
That was a multimillion-dollar business email compromise (BEC), specifically through targeted social engineering. So these things are happening every day. The majority of them don't get reported to law enforcement and they certainly don't make the six o'clock news. But the awareness level is something that needs to get out there a little bit more and certainly through events like this we're helping to do that."
And a slightly darker example from Erich Kron of KnowBe4:
"Imagine a world back in 2018, where children went to a place called school, it was actually a brick and mortar building where they showed up, it wasn't all done online pre-pandemic, right? So you send your little kids off to school, they're having a wonderful day. And then they start getting emails like this.
There was a round where some folks were sending emails to schools saying, 'We have planted an explosive device in your school. And if you don't pay us, we are going to set this thing off. If you pay us, we'll have our person come in smoothly and take these things away.'
And this actually went around to a number of schools, including the one right here where I live. Our school actually got shut down and evacuated over this.
This is a social engineering ploy. And this is what social engineering boils down to. And something that a lot of people don't necessarily always think about.
Social engineering attacks, regardless of what they're doing, are entirely emotional attacks. They're designed to get our emotions riled up, whether it's fear that the IRS is gonna throw us in jail because we owe them money or something like that."
All of SecureWorld's Remote Sessions are available live and then on-demand, so you can go back and listen to any that you missed, including this latest panel discussion: The Explosion of Social Engineering.
