Whether it is through an email, a phone call, or face to face interaction social engineering attacks comprise a form of psychological manipulation. Preventing a social engineering attack can be of a challenge because it involves the human component. In a social engineering attack, the attacker is not trying to exploit vulnerabilities in a computer’s operating system. The attacker is trying to exploit the element of the human’s weakness. The attacker does not need many technical skills in order to perform find these weaknesses. The attacker just needs to be able to find one person who is willing to click on a link, open an attachment, or follow directions.
Some of the most popular scams people are aware of are regarding attachments, social media notifications, a notice from the IRS, an attachment or notice from a shipping vendor, and a notice or attachment from a credit card company or financial institution. According to Pointproof research, 69% of phishing attacks use a link, 17% use a direct data entry format and 14% use an attachment.
What Pointproof did not collect in their report are phone calls to victims, also known as Vishing. How many attacks are carried out by an attacker calling a victim to ask for their user name and password? It might sound absurd, but think about it. This is not about Microsoft calling to say your computer has a virus, or the ISP calling to say the internet is slow. This is about more realistic calls that will hit people where it hurts; their wallet. Below is a Vishing scenario used for pen testing and it works almost every time.
Call Target
Target: “Hello”
Pen tester: “Hello this is so-and-so with [cellphone carrier or phone carrier] calling. We have noticed an increase in International calling since the last billing cycle that has totaled charges to more than $600.”
Target: “THAT IS A MISTAKE! I/WE DO NOT CALL OVERSEAS!”
Pen tester: “Sir or Ma’am, I will be glad to help clear this up and remove the incurred charges. I will need you to verify some information please.”
Target: “What do you need?”
Pen tester: “Let’s start with you verifying your logon for our website….”