Risk & Business Magazine Spectrum Insurance Fall 2019 | Page 26

SOCIAL ENGINEERING
I
n part one of our series on Social
Engineering, we discussed how
cybercriminals have shifted their
focus away from purely technological
attacks to attacking employees
through the use of social engineering—a
collection of techniques used to
manipulate people into performing
actions or divulging confidential
information. We also reviewed recent
court rulings to illustrate that computer
fraud and funds transfer insuring
agreements in traditional crime policies
may not provide coverage in the event of a
social engineering claim.
In the second part of our series, we
identify examples of schemes employed
by social engineers and how to design
and implement comprehensive security
practices to mitigate the risk of a loss.
SOCIAL ENGINEERS PREY ON INNATE
HUMAN EMOTIONS
Social engineers use technology to swindle
people and manipulate them into disclosing
passwords, revealing banking information,
or granting access to their computers.
Understanding how these social engineers
work and the schemes that they employ is
key to implementing successful internal
controls that minimize risk.
The success of social engineering schemes
does not always rely upon sophisticated
software or hacking technology. Social
engineers exploit human emotions—such
as fear, curiosity, the natural desire to
help, the tendency to trust, and laziness—
to bypass the most ironclad security
measures. Social engineering schemes,
therefore, remain one of the most
foolproof and commonly used methods to
breach secure systems.
In the cyber world, the weakest link in
the security chain is the employee who
accepts a person or scenario at face value.
Social engineers target this vulnerability.
A few common examples illustrate how
social engineers take advantage of human
emotion.
MESSAGES FROM TRUSTWORTHY
SOURCES
Social engineers cleverly manipulate
the natural human tendency to trust
26
and accept representations at face
value. Human nature leads us to trust
others until they prove that they are not
trustworthy. If someone tells us that they
are a certain person, we usually accept
that statement.
"SOCIAL ENGINEERS
USE TECHNOLOGY
TO SWINDLE
PEOPLE AND
MANIPULATE THEM
INTO DISCLOSING
PASSWORDS,
REVEALING BANKING
INFORMATION,
OR GRANTING
ACCESS TO THEIR
COMPUTERS."
Seizing upon this trait, cyber criminals
commonly hack email accounts to gain
access to the owner’s contact list. Once
access to an email account has been
obtained, the cybercriminal can send
messages to all the owner’s contacts.
These messages prey on trust and
curiosity. For example, the social engineer
may send:
• a link that you “just have to check
out.” Because the link comes from
a friend, and humans are naturally
curious, the recipient is likely to click
on the link. As a result, the system
becomes infected with malware that
the criminal can use to take over the
machine and collect information.
• a file to download (disguised as
pictures, music, a movie, a document,
etc.) that is embedded with malicious
software. Once downloaded, the
system is infected. Now, the criminal
has access to the system.
PHISHING SCHEMES
Phishers seize on fear and gullibility to
obtain private information. Phishers send
emails, instant messages, or text messages
that appear to derive from a legitimate
or popular company, bank, school, or
institution. These messages explain that
there is a problem that requires you to
“verify” information by clicking on the
displayed link and entering information
into a form. The link location may look
legitimate (often containing the correct
logos and content copied from a legitimate
website). The spoofed site closely
resembles a legitimate site and tricks
the user into entering their credentials,
thereby enabling the social engineer to
implant malicious programs or spy on the
user’s computer activity.
BAITING SCENARIOS
Social engineers also use greed to
manipulate human operators. Often found
on peer-to-peer sites offering a download of
a hot new movie or music, social engineers
dangle something people want and wait for
people to take the bait. Once people take
the bait, the cybercriminal uses malicious
software to corrupt secure systems and
steal confidential information or banking
details.
IMPERSONATING SUPERIORS
Impersonation is one of the most
common social engineering techniques.
Impersonation can occur over the phone
or online. For example, a social engineer
may obtain the name of someone in the
organization who has the authority to
grant access to confidential information.
Using that information, they call the
target and claim that a senior official
authorized the disclosure of information
or transmission of funds. Similarly, a
social engineer may impersonate a
network administrator or help desk
member and ask for an employee’s
username and password (so they can
ostensibly troubleshoot a network
problem or trace a problem).
These schemes prey upon the desire to
be helpful and fear of being reprimanded.
Many employees receive a negative
reaction from superiors if they do not act
promptly or take too long to complete
a project. Fearing reprimand, many
employees want to be helpful and follow
directions—which can lead them to giving
away too much information.