Tag Archives: social engineering

Bank Acquisitions and Phishing Scams

There are public reports of phishing scams related to recent bank acquisitions. Due to an increase in this activity, we would like to remind users to remain cautious when receiving unsolicited email that could be a potential phishing scam.

Phishing scams may appear as requests for users to verify personal and bank account information, enroll in additional bank services, or activate new security features.

The email messages may contain a link that, when clicked, will take the user to a fraudulent web site that appears to be a legitimate bank web site.

The users may be asked to provide personal information or that can further expose them to future compromises.

Additionally, these fraudulent web sites may contain malicious code.

Users are encouraged to take the following measures to protect themselves from phishing scams:

– Do not follow unsolicited web links received in email messages.

– Install anti-virus software, and keep its virus signature files up-to-date.

– Avoid Social Engineering Techniques as described here

How Social Engineering Can Steal Your Company Secrets

Companies may install the newest security system to protect their trade secrets, but they will always remain vulnerable when it comes to the person behind the keyboard, manning the phone, or holding the keys.

Hackers have known this for years, and along with their programming savvy, the best ones have honed their psychological tools as well. This is called social engineering.

What is social engineering?
There is no textbook definition for social engineering. It has been described as a confidence game played upon unsuspecting employees by hackers intent on breaking into a company’s computer network.

In a broader sense, social engineering employs any number of non-technical methods to gain information that will allow hackers to access a company’s network. This can be as simple as dumpster diving, or going through a company’s refuse to look for office paperwork that contain bits of information that reveal information about the company and its employees. But more often than not, social engineering usually involves some form of person-to-person contact between the hackers and one or more employees of the company.

Analog methods
Some social engineering attack methods employed by hackers include picking up the phone and calling up a secretary or help desk employee, or approaching or communicating with anyone else with a password to the system. They will either misrepresent themselves as someone who has been asked to look into the company’s systems or they will impersonate an authority figure within the company. The latter can be someone who is supposed to be close to the boss or someone who actually runs the system, like a manager or system administrator.

Psyche out!
Social engineering involves psychological tactics. Hackers will try to assure the target employee that the information being asked is part of procedure. Employees don’t want to get into trouble with their bosses.

They can be convinced by someone who’s pretending to be their boss or who works with their superior. Finally, simply being friendly with employees builds trust. Befriended targets are easily won over to give access to the network. Even physical access to company grounds and building facilities can be gained with a fake ID and a smile.

The price of security
Any security system put into place to protect company secrets is only as effective as the people who are actually using the system. Vigilance and proper implementation of company policy are key. Everyone in the company, from the top down, must be aware of the danger signs of social engineering attacks. These include:

  • requests for sensitive information;
  • persistent requests over the phone;
  • name-dropping by unknown people; and
  • refusal to give contact information.

Employees should also learn to follow strictly company security policies that address social engineering attacks. These should include, among others:

  • proper waste disposal of paper and digital media;
  • strict ID checks and security at physical locations;
  • control of release of sensitive information, especially over the phone or network; and
  • training and constant reminder of personnel with regard to security-related issues.

Like most things, avoiding getting caught out by social engineering techniques is the use of common sense, if something does not sound right, then usually its not, so employees and bosses be aware that there are people out there who want your sensitive data.

FCC Phishing Scam

The Federal Communications Commission (FCC) has released a public notice alerting users of a potential phishing attack.

The notice indicates that non-government entities may be using websites to misdirect regulatory fee payers to an illegitimate website in an attempt to obtain their financial information.

Users are encouraged to review the FCC public notice (pdf) and refer to the Avoiding Social Engineering and Phishing Attacks document for more information on social engineering attacks.

Please see the link below for tips on avoiding Social Engineering.
http://www.us-cert.gov/cas/tips/ST04-014.html

FCC Public Notice in pdf format
http://hraunfoss.fcc.gov/edocs_public/attachmatch/DOC-285124A1.pdf