Social Engineering Attacks

The Curious Codex

             9 Votes  
100% Human Generated
2025-01-08 Published, 2025-01-10 Updated
1713 Words, 9  Minute Read

The Author
GEN UK Blog

Richard (Senior Partner)LinkedIn

Richard has been with the firm since 1992 and was one of the founding partners

 

What is Social Engineering

P_fGo1QM

Social engineering poses a significant threat to companies, particularly in compromising email accounts for money interception scams and data breaches. This deceptive practice exploits human psychology to gain unauthorised access to sensitive information and systems, bypassing traditional security measures.

Social Engineering is now the primary method used to initiate fraud and breaches against companies worldwide.

The Anatomy of Social Engineering Attacks

Social engineering attacks targeting companies often follow a sophisticated pattern...

Reconnaissance

Attackers research their targets, gathering information about employees, organisational structure, and internal processes.

This involves leveraging information on company websites, including staff, teams, customers, etc and combining that with third party sources such as social media and directories.

Lets assume your website lists the senior staff, and perhaps even includes a picture. With that, its fairly easy to find that persons social media accounts, and from there other sensitive information can be gathered such as friends, family, clubs, interests, etc.

Initial Contact

Using this gathered intelligence, cybercriminals craft convincing phishing emails or make phone calls impersonating trusted entities.

For example, they can craft an email to accounts from the managing director (forged) requesting a list of outstanding invoices, or an email to the sales team from the finance director (forged) requesting sales figures, or to the IT department from the sales director (forged) requesting an export of the CRM system. They can call the company, asking who's responsible for this or that, maybe pretending to be from the city council, the government, the police, etc. Whilst many employees will not give away sensitive information to anyone, you'd be surprised how willing they are to help the police with their enquiries. Cybercriminals are not like you and I, they are adept at lies and deceit.

In smaller companies many of these will fail, but in larger companies they often succeed because the recipient recognises the sender even though its forged, or feels its the right thing to do, and responds accordingly.

Where information requests fail, email compromise is still fairly easy by simply sending an email from "IT" suggesting an email is in quarantine, or on hold, password reset or expiry, or some other made up scenario that simply requires you to login to your email. Some, if not many users will follow the link and login to their email, at which point the email username and password is sent to the cybercriminals.

I've seen literally hundreds of examples of these kinds of emails, most of which don't convince me at all, but in a busy office, a busy user can easily be coerced into following the link, and exposing their email.

Less seen, but still happens are physical visits, when someone arrives at reception from the photocopier company, the telecoms company, the water board, the gas board, the fire safety company, the internet company, etc. They are sometimes just taken into the company and given access, and all they need is a network port that's unused, or a computer that's unattended. Devices that plug in to the back of a computer can capture keystrokes, and devices that connect to a network port can give anyone remote access to the entire network. In our years of doing this we've found many such devices in companies during invesitgations, and whilst many are placed by fake walk-ins, there are cases where staff have been incentivised through money or blackmail to place the devices, or install software.

Exploitation

Once a foothold has been established, cybercriminals manipulate victims into divulging yet more confidential information or performing harmful actions. This can include sending emails internally to other staff (since the scammer now has access to ALL the users received and sent emails) to track down or 'pivot' to more senior or valuable members of staff. From an administrator, the cybercriminals could pivot to someone in accounts payable for example, by sending internal emails requesting confidential information.

The primary goal is to remain undiscovered, reading incoming and outgoing emails and gathering information to leverage. Imagine how much intelligence could be extracted from the inbox of the office administrator, sales admin, purchase admin, accounts etc.

Consequences

Once there is compromise, cybercriminals will leverage that for financial gain in several fundamental ways...

Manipulation

Attackers exploit emotions like trust, fear, and urgency to bypass rational decision-making, this might be through blackmail of the user who was compromised, or through complex social engineering such as introducing rumours, and sharing gossip designed to alienate staff and cause distrust which is then leveraged to further advance the compromise. An example from the wild is an email from one member of staff with information on what another member was saying about them on internal chat, and providing a link to read the rest of the conversation, or, a rumour about job cuts and a link to read the internal memo. By leveraging fear or anxiety cybercriminals can convince users to do things they would never do normally.

Money Interception Fraud

Once invoices can be accessed, the criminals will re-send the invoice with different payment information, usually with a note explaining that the company is moving banks etc. Customers receiving the invoice, and updated bank information will rarely question this, and pay the invoice to the new account. That account is of course not controlled by the company but by the cybercriminals. Generally, this scam is a single shot scam and will be executed on mass to redirect as much money as possible before the company becomes aware and takes steps to stop it. In 2023 there was approximately £3.3b misdirected in this way, the majority of which was never recovered.

Bank Fraud

With many companies now accessing the bank online, a remote access tool on a machine that is used for bank access can be taken control of, and transfers made in seconds. Remote control software can also blank the screen during such an action so the user would be unaware of anything that was going on.

Data Breaches

Leveraging these compromised email accounts, requests can be made to various departments to obtain things like lists of clients, orders, vendors, and contracts. This information can then be sold on to competitors, or extorted with blackmail. Where security is weak servers can be compromised directly, leaking vast amounts of documents and records.

Ransom & Blackmail

Users can be persuaded into installing malicious software, usually remote access software that can be remotely accessed out of hours to perform engineering attacks on servers and systems, as well as to lift auto-complete passwords from weak browsers like Chrome, providing the cybercriminals with logins to numerous websites and resources.

Ransomware can be deployed, which will use the file system access of the workstation to encrypt files to then be ransomed, or, to package files up and upload them to a remote site for, again ransom or resale, often both.

Espionage

If your company works in an area of business that is sensitive, or highly competitive, cybercriminals may choose to simply 'sell' their access to a competitor or disruptor, allowing them to continue the manipulation and information extraction. One case we investigated saw a service company suddenly start to loose contracts to a competitor, and we found that they had numerous email accounts compromised including the ones used to send quotations, which were intercepted by a competitor and undercut, and this was with nothing more than email compromise.

The Long Game

Cybercriminals can and often do breach an email account, gain access to a single PC, pivot from that to a server and install a remote access tool, then simply gather information, sometimes for months and months. To maximise the monetary potential, the scam must be meticulously planned and timed.

In some cases, employees will be manipulated over a period through blackmail, payment or coercion to provide confidential information, passwords, and install software. In some cases, a discruntled employee may not need any of these to become a bad actor on the inside.

Mitigation

The primary method of mitigation is training and awareness. Your staff should be able to recognise scam emails, unexpected calls and uninvited visitors, and take the appropriate action. In our cyber awareness training we find that repeated training and testing is required to hammer this home to everyone, since it takes just one user to open the door. You can download a copy of our stage 1 training material for free in the Downloads section of this website. Consider how many users need to send email externally, and limit that down - we find in some companies there are many users who's only use of email is internally, so limit it to that.

Technical mitigation is multifaceted; Email should be strongly protected by having proficient filtering and screening, and email technology should be leveraged to greatly reduce the ability of cybercriminals to 'forge' emails. This requires them to use lookalike emails which *should* be easily identified.

Web based email should be avoided at all costs, it's very easily to setup Thunderbird, Canary etc to download your email locally so use that and this stops many of these scams at the front door, which deliberately target users that have outlook, gmail, hotmail etc.

Systems and Services should be protected with MFA, and any service that authenticates by sending an email should be discontinued.

Endpoint protection (for Windows only) should be deployed to detect and prevent the installation of malicious software.

You should audit your IT infrastructure regularly, at least annually but in larger operations monthly or quarterly.

Conclusion

Social engineering remains a formidable threat to companies, with the potential to cause significant financial losses and data breaches, yet many companies are either unaware or believe this could never happen.

By understanding the tactics employed by cybercriminals and leveraging awareness training and testing, you can take significant steps towards reducing the risk and for very little if any cost.

Deploy email protection, make sure no one is using web based email, and audit your system security.

We at GEN have numerous companies coming to us after an incident for investigation and remediation, but we would much prefer this happened less frequently. If you need some help or advice, our services in most cases are FREE for the first hour so absolutely risk free.

Associated Reading

20241003 The Dark side of Google Chrome
20240824 I've been Hacked
20240723 Email Threats and Extortion

             9 Votes  
100% Human Generated

Comments (3)

Darren M · 2025-01-11 12:25 UTC
Well, that is a lot to take in, im going to print this off and read it over the weekend. Sounds scary but It is something I need to understand.

Andy P · 2025-01-11 12:20 UTC
I have to admit to being one of those companies who believed it could never happen, and unfortunately it did. Thanks to GEN we got it sorted quickly and the loss was minimal but it could have been much worse.

Mike M · 2025-01-09 14:02 UTC
Good information, and highlights many good points. I think so many companies just dont get it, until its too late.

Love the picture by the way

×

--- This content is not legal or financial advice & Solely the opinions of the author ---


Index v1.030 Standard v1.114 Module v1.062   Copyright © 2025 GEN Partnership. All Rights Reserved, Content Policy, E&OE.   ^sales^  0115 933 9000  Privacy Notice   71 Current Users, 90 Hits