What is Social Engineering? What is Phishing? Both of these tricks/methods are extremely dangerous but put them both together and you have a very believable confidence trick.
Social engineering: is an attack vector that relies heavily on human interaction and often involves tricking people into breaking normal security procedures.
Phishing: is the attempt to acquire sensitive information such as usernames, passwords, and credit card details (and sometimes, indirectly, money), often for malicious reasons, by masquerading as a trustworthy entity in an electronic communication.
I recently attended the ESET Partner Conference in Hinckley where I listened to one of the workshops which was presented by Righard Zwienenberg a well know name in the AV industry and security blogging, his presentation got me thinking……
Think of this sequence of events:
Someone calls the office to speak to accounts and gets their name and email – very easy to do salesmen do this all the time. Collecting names and emails via a gatekeeper is already common practise amongst telesales and so quite a common type of phone call. The company’s directors names are accessible on Companies house or by simply getting hold of the companies organogram which could be on their website, extra info could be gleaned from Creditsafe or any other credit checking company. The Phisher would then check on social media to see if the directors were on Facebook, he stumbles on a Facebook entry where the director is on holiday – he now has the making of scam!
The phisher will then use his knowledge to trick an innocent party, creating an email that looks like it is from the director asking the person by name to pay an attached bogus invoice as a matter of urgency as he has forgotten to deal with it before he went on holiday. The attached invoice will have bank details and unknowingly the person pays it! Everything looked fine even the footer of the email was perfect to the companies footer, very believable and easy to do.
To combat this you need to change your mind set about emails, question everything, if money transfers are involved – follow it up with a phone call, or use some kind of self-devised password system. Look for oddities, are they writing in their usual style, is there excessive spelling and grammar errors? Is the format different? Is the email address correct?