When most people think of computer hacking the natural inclination is to picture a socially awkward early twenty-something. He’s locked in his basement somewhere pecking away at a keyboard in the dark. While this assumption may have some basis in the truth, all too often modern hacking involves a much more sophisticated approach involving social engineering.
Social engineering is a mostly unknown aspect of the modern hacker that companies would be wise to look out for as part of a complete security program. Social engineering is the manipulation of people with the goal of getting them to provide information they would not have otherwise disclose. Social engineering isn’t new and has been used for decades in the intelligence field and traditional intellectual property theft arena.
For the sophisticated hacker, social engineering is generally used as the opening salvo of an attack, and detecting this tactic early can alert a company they’re a target. So how and why do hackers use social engineering?
The “why” is relatively straight forward. Every company maintains some sort of proprietary or sensitive information. Whether its customer details, intellectual property, legal case information, health data, financial information, or even just information related to your normal business processes, this data is useful for the hacker.
Social Engineering Through Phone Calls
The classic social engineering technique is phone calls. Companies should be aware of suspicious phone calls, and actively encourage employees to report them. Suspicious phone calls should also be analyzed for patterns. This will allow a company to discern whether they’re being randomly or actively targeted. Possible telephone schemes:
- Person claiming to be an employee requesting password reset outside of normal protocols
- An unknown person from a known vendor requesting account information
- Questions from a person claiming to be an employee about business procedures
Actively being targeted by telephone social engineering is an early red flag for potential business email compromise schemes. These attacks are generally conducted from outside the United States, and can have a catastrophic impact on a company, if successful. Another old-school technique for social engineering is more brazen and potentially just as damaging as phone calls.
Social Engineering Through Physical Intrusion
Hackers and intellectual property thieves are nothing if not resourceful and sometimes that means physically entering the property of a target to glean as much information as possible. This can take the form of a pizza delivery guy, or a floral delivery person, or even a technician from a telecommunications company. Anything that could provide a plausible reason for an unknown person to have access to the business space should be suspect. What are they trying to do?
- Steal thumb drives, data disks, or cell phones in the open. Steal whole devices.
- Use RFID skimming devices to steal controlled access credentials as they walk the halls
- Surreptitiously video record sensitive IP information
Companies should actively monitor all unknown or unverified persons in their business space. This includes monitoring people who could be expected to be there. Hackers and IP thieves are patient and pay attention to what’s going on at your place of business. They actively plan their attack and could send people onsite to piggy-back on an otherwise legitimate activity by a known vendor.
Social Engineering Through Phishing / Email Scams
Phishing is a more modern version of social engineering, but aims to accomplish the same thing as the more classic tactics. There are two primary types of phishing email scams. The first is just phishing. Phishing in general is done by mass emailing people emails with attachments that appear to be from legitimate sources, but the attachments are actually malware that enables surreptitious access to systems. These malware payloads may also be key logging programs that send the captured data to the hackers. Some examples of common Phishing scams:
- Email from your bank claiming your account has been compromised
- Email from your insurance company with an attached claim form
- Email from your internet provider claiming you’ve been downloading pirated content
Normal Phishing scams are a shotgun approach with no particular person or company specifically targeted. The other type of Phishing is Spear Phishing.
Spear Phishing takes the same form as normal Phishing, but the emails are targeted to specific individuals or companies. Spear Phishing is often the opening salvo of a very destructive form of wire fraud known as Business Email Compromise (BEC). The results of a successful BEC attack can be catastrophic to a business and result in the loss of hundreds of thousands of dollars and the entanglement of follow-on civil litigation.
All people and businesses should be very aware of the tactics of social engineering and the common scams associated with the potential intelligence gathering it provides. Choosing the proper experts to consult with is paramount to preventing successful attempts, and mitigating any damage resulting from this form of cyber hacking.
About the Author:
John D. Shirley developed his investigation expertise serving 20 years with the Houston Police Department as a criminal investigator followed by a career in the private sector as a fraud examiner. As a Sergeant Detective he supervised the Financial Crimes Unit investigating various white-collar crimes including Fraud (all types), Embezzlement, Forgery, and Identity Theft. He also worked the Homicide Division, Internal Affairs investigations, Crime Analysis Unit, and conducted internal audits while developing and revising classified and civilian policies and procedures. Mr. Shirley provided consulting services to McCann for three years prior to moving full time to the private sector. Mr. Shirley continued his investigation expertise in the private sector serving in Special Investigations Units for insurance companies and became a national manager responsible for operations in eight states. His investigation skills include analytical and statistical work, intelligence and background investigations, interview & interrogation, forensic collection, and reporting in a variety of case management systems.
John is a Master Peace Officer and a Certified Fraud Examiner (ACFE). He is also a licensed private pilot and a certified rescue diver.
About McCann Investigations:
In today’s complex legal cases, evidence is rarely singularly digital or traditional, but begins in one realm and quickly cross over into the other. The days of an investigation involving merely taking statements and photocopying documents are all but things of the past. Modern evidence gathering requires the agility to go where the evidence leads, no matter the source.
This not only means overcoming the challenge of understanding the ever-evolving web of digital evidence, but owning the entire evidentiary space; The nexus of both the digital and the non-digital.
McCann runs the table in this space. We either have the digital or traditional expert you need on staff, or we know that expert…. personally. McCann operates its own dedicated state of the art digital forensics lab, staffed with certified technicians, supplemented with a former cyber prosecutor, veteran law enforcement investigators, government cybersecurity experts, and certified fraud examiners. McCann is the only turnkey solution for the gathering, processing, analyzing, and reporting all types of evidence, no matter the source. Our team, drawn from both government service and private industry, has the resources, knowledge, and experience to provide expert testimony ensuring the evidence is both relevant and defensible in all proceedings.
McCann Investigations IS that nexus.