Industry Updates: Protecting your Company from Social Engineering Attacks
Join us for our Industry Update webinar, where we spend 30 minutes on the latest news in domain management & security, brand protection, and fraud protection.
You can also read the webinar transcript below.
What You Need to Know!
In our November session, we will be delving into social-engineering attacks – how they manifest, how to spot them, and how to avoid them.
What are social engineering attacks, and how do they differ from other phishing attempts
How to recognize social engineering emails
Cyber security training tips to give your staff
Recommendations on mitigating the risks of a social engineering attack
Disclaimer: Please be advised that this recorded webinar has been edited from its original format, which may have included a product demo. To set up a live demo or to request more information, please complete the form to the right. Or if you are currently not on CSC Global, there is a link to the website in the description of this video. Thank you.
Stephanie: Hello, everyone, and welcome to the November edition of our monthly industry updates webinar. My name is Stephanie Mitchell, and I will be your moderator today.
Joining us today are Gianni Maiorano and Liz Sylves. Both Gianni and Liz are business development managers for CSC in the United States. So today, Gianni and Liz are going to be taking you through phishing and social engineering from types of phishing attacks and how they have evolved to taking a look at social engineering and what that means and how it manifests itself. And then finally, give some recommendations on how to mitigate the associated risks. I'll then give a quick update on upcoming activities. But first, I'm going to hand over to Gianni.
Gianni: Thanks so much, Stephanie. Really appreciate that. I'm going to go into the different types of phishing that's out there. Of course, you have email phishing and whaling and spear phishing and vishing and smishing, and then there's some unrelated ones, like dishing, and that's when like you talk about your friends, like kind of behind their back and you talk about stuff. It's not related to phishing. And then there's trishing, which is where you have a bunch of people named Patricia making calls to try get you to send money for their pizza. You got trished, also unrelated.
Thanks so much, Stephanie. Really appreciate that. I'm going to go into the different types of phishing that's out there. Of course, you have email phishing and whaling and spear phishing and vishing and smishing, and then there's some unrelated ones, like dishing, and that's when like you talk about your friends, like kind of behind their back and you talk about stuff. It's not related to phishing. And then there's trishing, which is where you have a bunch of people named Patricia making calls to try get you to send money for their pizza. You got trished, also unrelated.
So it's really important to understand that this is the world we live in today. This is not just a campaign. This isn't just a one-off. This is the world that we wake up to every day and, you see me kind of going through some slides with some headlines in the news. And every day we wake up and there's a different headline, and for somebody like myself who's been in this space for 20 years, I have never seen a time where it's been so rapid and so just absolute, the scale of these attacks are just absolutely unbelievable.
Spear phishing is the next evolution of that, because phishing, when it came out, it was something that a lot of people fell victim to. A few people still fall victim to it. However, corporate entities, the big targets are a lot more sophisticated now and understand how to identify phishing attacks. Spear phishing is a very targeted and precise attack targeting particular employees or perhaps senior employees at a company, and it's something that's very customized. Somebody may understand how somebody behaves online, checking out their social media profiles, things like that, and how they would communicate and then reaching out to that person with a targeted phishing attack.
To expand on that, whaling is where you're specifically going after folks that are at the top of the organizations, CEOs, other chief information or chief security or C-level executives at a company. And this is where you're seeing your largest amounts of funding or transactions taking place. And these require the other element of this, which is a very sophisticated measure of social engineering.
So this may be somebody that's posing as a channel distribution partner. Perhaps this person has compromised a third-party distribution vendor that you have and is reaching out on their behalf to try to get you to wire funds or try to get some approval to get an invoice fulfilled or something of that nature. And when these things occur, it's usually large amounts of money. Five, six, and seven-figure dollar signs can often change hands.
So that's the escalation in terms of basic email phishing, spear phishing being targeted, and whaling going after executives. And then there's other different avenues for that as technology continues to evolve.
So, for example, vishing, which is where you're calling on the phone and leaving voice messages trying to get folks on the line in order to have them believe that you're perhaps an employee, again someone from a trusted partner, perhaps a law firm. And then smishing, which is SMS phishing, which is text messaging is a another way to put that. And that's where you're sending text messages in order to have somebody click on something to get sent to a malware site.
So these phishing attacks continue to be higher in sophistication. They are highly researched and use social engineering, which we'll talk about a little bit later, in order to have either unsuspecting or very skeptical people fall victim to them. So those are the different types of phishing attacks. And Liz is going to go through the evolution of phishing emails coming up next.
Liz: Thank you, Gianni, for going over the different types of phishing and highlighting how they're all different. I'm going to take you through how phishing has progressed and advanced in its sophistication.
We all remember when email came out and we were confused by emails from random email addresses. The Nigerian Prince email scam is perhaps one of the longest running internet frauds to date. These typically start with an email from someone overseas who claims to be from royalty. The fraudsters lure you in by offering an opportunity to make a large sum of money while they encourage you to share your banking information and account information.
As you can see here, the email characteristics come from random email addresses, misspellings, and they also ask for a sense of urgency in the text. Surprisingly, these emails frauds are well-known and still have victims that fall prey. Being aware is key here because the way they are successful is by tapping into your vulnerability.
The last example we went over how victims fall prey to the Nigerian Prince. Here, you have cyber criminals become more sophisticated when they started impersonating financial institutions. Innocent-looking emails use logos and color schemes that match well-known financial institutions. These emails would also have a typo with a similar spelling to the brand. Again, you'll see here, as the Nigerian Prince scam, capitalization and misspellings, and they also add a sense of urgency to tap into the receiver's vulnerability. Phishing attacks that are specifically engineered to explore many thousands of customers and give up private information, like passwords and account details, it's important to look at the characteristics of an email so that you don't get lured into giving sensitive information.
Vulnerability is something that cyber criminals are counting on exploiting. Like we started with the Nigerian Prince scam and then we moved to the banking scam. Now, this is where we're getting into the trusted brand scam. And these cyber criminals are using trusted brands that we use all the time, like Netflix, to tap into our vulnerability and get us to click on links that we shouldn't.
So as you can see here, this Netflix scam is looking just like it's coming from Netflix. They're using a template that mimics the style of what the company officially sends out. But if you take a deeper dive into this, you'll see that the Netflix name is in the from section. So, therefore, they're trying to pass it off so that you can see that it's coming from Netflix, and then you scroll down to, "Your account has been suspended." I recently received this email myself and stopped immediately because, of course, I need my Netflix especially during these times.
So this is really important to take notice that these can be coming from social media sites, banking sites, and other payments sites that you're familiar with. And again, when it comes to these types of emails, awareness is key and take a deeper look into the characteristics before clicking on links to change your passcodes and provide sensitive information from your account.
As you can see here, the threat landscape gets increasingly more sophisticated. We started out with the Nigerian Prince scam, then moved on to the banking scam, and then the brand example with the Netflix scam. The evolution has increasingly gotten more sophisticated, and here's an example of the social engineering BEC scam.
The reason it gets complex and sophisticated in this example is the attackers are sitting on your network and they are hanging out there for about four to six months in some cases. They're learning your behavior, and they're mimicking the style of the way you send emails when they're actually going in for the attack.
So as you can see in the characteristics of this email, it's being sent from an official email account of the person being impersonated. So they also, like in the other examples, they use urgency and they may send this at the end of the day or the end of the week. What they're looking for is for you to wire money or send credentials of some sort. And they're usually looking to target like C-level professionals or someone that has access to account information.
One of the things that I want to mention in this example is that it is the largest impact in the phishing threat landscape. We have about billions of losses, and it is the most costly form of phishing, and fraudsters hit their targets with an array of persuasive techniques. So you want to know the red flags and you really want to protect yourself.
Now that we went through the evolution of phishing emails, Gianni is going to go over with you social engineering.
Gianni:Yeah. Thanks, Liz. Social engineering is an age old practice where people use psychological, technical, or other types of tactics to engage other people to divulge sensitive, confidential, or personal information that's going to be used nefariously or fraudulently. As technology has changed, the nature of social engineering has changed. And we're seeing now, as we've discussed before, email-based social engineering, also known as phishing, texting, phone calls, things of that nature.
An example is I may call an elderly person saying that I'm the rewards for Best Buy or something. And then on the other line, I have the Best Buy rewards person saying that I need to get information on how to get a rewards card and then merge the two calls. The elderly are usually a high target for this because they, unfortunately, are not technically savvy and, depending on their state of mind, easily confused. And they are actually on the phone then with Best Buy divulging sensitive information, while the social engineer/fraudster is sitting there collecting all that information.
We're seeing now email scams, where people are sending emails where they look like they're an executive or they look like they're a law firm or other third-party partner in order to gain access to either sensitive information or put malware on computers behind people's firewalls and on their networks. And that's one of the main points of social engineering in order to gain access to then have a larger, typically financial gain at the loss of the company. And we saw many examples of this through the examples that Liz went through.
Social engineering can be pretty tricky. These are, in some cases, professional cyber criminals, and they're very good at manipulating people for any number of reasons. And the attackers use malware once they have you clicked on something to infiltrate your systems, as I mentioned previously, getting onto your network and gaining access to potentially your own email accounts or access to third parties. And then they'll use this in order to gain passwords and other information, and that allows them to penetrate deeper into your company's IT infrastructure.
How do they get on your system to begin with? They use psychological tactics and other types of sense of urgency, so to speak, methods in order to have you overlook or bypass your normal checks and balances to see if something is real or not. So if you get an email from your boss or your CEO saying, "Hey, this needs to be actioned now. There's a major problem with the distribution channel and you need to pay this invoice right now." That is something that may drive up someone's blood pressure to make them do something that they otherwise wouldn't.
So using psychological tactics, timelines, deadlines, things that need to be acted on quickly, these are all ways that social engineers will pull at the heartstrings of their victims in order to achieve nefarious gain.
Not everybody is prepared to be the subject of a phishing attack. However, at major organizations, especially at the higher levels, people are more prepared for this. Not everybody, but, in general, more prepared. So the cyber criminals have to be lot smarter. So what they're doing is they're observing executives and other people's behaviors on social media sites, for example, how they communicate publicly in order to better impersonate them when they're targeting an organization. This is another arrow in the quiver in order to target an entity or a corporation by actually mimicking and mirroring the communication methods of an employee or executive, again to push the psychological social engineering narrative.
Emails can come from people that you think that you may know. Particularly if the sender has already been a successful victim of a cybercrime or a phishing attack, the sender may come from a legitimate email address. In other instances, cyber criminals go out of their way to either mask their email address to make it appear legitimate, or by registering domain names and starting sending names from potentially not-so-obvious typos in order for someone to think that an email is legitimate. If you have your company, let's go with the Best Buy again, and it's bestbuycouponcodes.com, which may be registered not to Best Buy, and you get an email from that, you may not know if it's legitimate or not, but it appears legitimate to you, so then you click on it. And then, all of a sudden, malware is on your computer behind the network and the social engineering continues.
All of this to say is social engineering, phishing, and other forms of fraudulent communication, they really do lay the web of traps that people can fall into. And it's really hard to navigate that particularly alone if you're not educated. And we've gone through all the different types of threats that are out there, and there are certainly are many more coming in different sizes and shapes and ishings and phishings and whatever is going to be coming next.
So what are the tools that we can equip you with in order to avoid falling into one of these traps? And that's what we're going to be talking about next.There's two sides to preventing and mitigating phishing attacks towards your organization. The first is technical, having technology in place to prevent the phishing scams from even getting to your ecosystem. The second is educating and training your employee base and your end users to be more knowledgeable on how to identify potential phishing scams and how to deal with it accordingly.
Liz:The fact is that email is a critical part of our personal and our work lives. I'm going to go over some technical recommendations that can stop attackers from compromising your system.
So first you want to make sure that you implement DMARC. A fun fact about DMARC is it's one of the easiest ways to secure that a sender is who they say they are, but surprisingly 50% of Fortune 500 companies do not have this protocol in place.
You also want to make sure that you know where the email is coming from. So you can check your web logs and your data feeds. And you want to secure your devices, install and maintain and update regularly your antivirus software, firewalls, and email filters.
With all that being said, though, it's really important to have a proactive monitoring solution in place that will pick up any anomalies outside your firewall. So you want to implement a 24 by 7 monitoring service.
Gianni:Thanks, Liz. Yeah, technology is a major element that's going to help prevent and stop phishing and social engineering attacks. The studies are in now, and people are your weakest link. And it doesn't matter, which study you look at, you will see that a large majority of people still do not understand what phishing is and what phishing scams look like. And if you look at organizations, you're talking about global organizations that are spending millions of dollars on cyber security and IT infrastructure still have almost half, on average, of their employees are unaware of what a phishing attack or a BEC scam looks like. This is definitely an area that all companies want and need to improve on in order to have a meaningful impact to supplement the technology for phishing prevention.
Yeah, and our recommendations when it comes to your staff, the first and foremost is mandatory security training. Having a meaningful and impactful training to educate your employees to be able to identify the aspects of various types of phishing attacks. Having clearly defined characteristics that are brought to your employees on what a BEC scam actually is so that when they see one, they can tell that something looks like a fish and smells like a fish, "Hey, maybe we should look into this because I think there's something fishy going on here."
So the next step for that is having clearly defined protocol for escalation when somebody thinks there might be a phishing scam. So we have one here at CSC, where if we think that something is potential phishing, we send it to our phishing team and they evaluate it further. If you're not in position to do that right away with something that's super high urgency, again, the sense of urgency thing, do not email the sender back asking like, hey, who are you type thing. Make sure you're reaching out to them with a phone call or something of that nature, going to their desk and asking, "Did you send this email?" Of course, going to their desk is a little bit different in today's climate, so I recommend a phone call for that. And that way, again, if you can look at something that looks like a fish, smells like a fish, you can check to see if it's a fish. Then you can avoid these types of scams. And if you're not doing these types of things taking these recommendations, you're going to be wishing that you're not the subject of phishing.
Stephanie: Okay. That concludes the content for this webinar. So a big thank you to Gianni and Liz for that informative session.
I just want to draw your attention to our upcoming activities. So our next monthly roundup newsletter will be sent later this month, on the 25th of November. We also have a number of other webinars happening throughout November on a variety of topics. First, we have an ICANN 69 recap webinar on the 10th of November, where our Director of Policy, Gretchen Olive will go over the key takeaways from the latest ICANN virtual forum. We also have a webinar on the 24th of November, looking at the correct way to lapsed domains. And our final webinar in this industry updates series will be on the 3rd of December.
And that's all the time we have for today. So thank you for everyone who joined us, and we hope to see you next time.