A recent study by the Federation of Small Businesses found that 66% of its members have fallen victim to some type of cyber-attack within the last two years. The bulk of these attacks were social engineer scams such as phishing (49%) and spear phishing (37%). The Guardian has reported that the average annual cost to each business was £3,000 – a total annual cost to Small Businesses of £5.26 Billion.
Social engineering, in the context of information security, is the methods used by cyber criminals to persuade, trick, blackmail, threaten or deceive people into sharing information or perform tasks that will allow them to carry out their crime. It is a crime in which they use a person to gain access to information or money by either gaining their trust, deceiving them or threatening them.
These attacks come via email, social media, phone, text and/or through planted hardware. The most common methods include:
Phishing – when emails are sent perpetrating to be from a trustworthy source such as a bank, friend or client asking for sensitive information including log-in and password details. Emails usually contain a link to a site that looks very similar – or an exact replica – of the trustworth site. Such sites contain malware that will install an application on your computer (or device) allowing the criminal to further access your private information or use your compute power which, combined with other infected devices, form a distributed ‘super computer’ to further prolong and help their future attacks.
SpearPhishing – a specialised attack which is pre-empted and targeted to a specific person, or organisation. Criminals trawl social media for personal details so they can make their approach more direct and credible.
PhysicalBaiting – a common example is where a criminal leaves a piece of hardware infected with malware, such as a USB stick, where their target is likely to find it. The target then uses their computer to view the contents and becomes infected. A growing trend is to report for a meeting and tell the receptionist that an urgent report, required for the meeting, has been accidentally left and asking if they can print the report out on the front desk. The report is on the USB stick and the malware is on your company network once the receptionist opens it to print out.
Pretexting – (also known as blagging or bohoing) is the act when an attacker creates a false (usually urgent) circumstance to compel the victim to provide information – for example, they may masquerade as a co-worker, police, bank, tax authority, investigator asking for your login details.
Diversion Theft – also known as the “Corner Game” or “Round the Corner Game” originated in the East End of London. In summary, diversion theft is a “con” exercised by criminals, usually against a transport or courier company. The objective is to persuade the persons responsible for a legitimate delivery that the consignment is requested elsewhere.
In his 2002 book, The Art of Deception, Kevin Mitnick, an American Social Engineer Hacker, admitted that he compromised computers solely by using passwords and codes that he gained via social engineering. He claims he did not use software programs or hacking tools for cracking passwords or otherwise exploiting computer or phone security. It is far easier to get passwords this way than the current thought process of infecting computers and devices.