ALL

Social Engineering Countermeasures

Robert Broxup

Social Engineering is a technique that involves the psychological manipulation of individuals or groups to trick them into revealing confidential information, performing specific actions, or making decisions that benefit threat actors.

  • Social Engineering relies on human psychology, persuasion, and deception rather than on any technical vulnerabilities.
  • Social Engineering is often used to gain unauthorised access to systems, steal sensitive data, or facilitate other malicious activities.

Social engineering attacks come in many forms, including tailgating, several variations of phishing, and many more. At the heart of social engineering is the exploitation of human trust, empathy, and common courtesy to achieve objectives. Here are many examples, but it is worth noting that social engineering attacks can contain combinations of factors brought together into an attack strategy. There are also many overlaps, but the principles remain the same: psychological manipulation and deception.

One of the more severe threats is the deployment of ransomware, which often involves a social engineering component – being a victim of a social engineering-based attack can lead to the encryption of files that require ransom payment to decrypt the files. Criminals may also gather confidential information and threaten to expose the information, for example, customer data. Ransomware, extortion and blackmail can lead to significant financial loss and reputational damage.

There are thousands of different social engineering tactics and more variations on individual themes, so it would be impossible to try and cover everything in one article.

  • Phishing:
    • Broad and indiscriminate, targeting a wide range of individuals and businesses.
    • Typically, it involves sending deceptive emails that appear legitimate but contain malicious links or attachments.
    • The overal objective is to trick the recipients into revealing sensitive information. E.g., credit card details, login credentials, or other personal information.
    • A typical example is a fake email from banks asking users to click a link and enter their account details.
  • Spear Phishing:
    • Similar to regular phishing, but highly targeted and personalised to specific individuals or businesses.
    • Threat actors research their targets and craft personalised emails that appear credible and relevant to the recipients.
    • The objective is to trick a specific person into revealing sensitive information or taking a particular action, like transferring funds or downloading malware.
  • Whaling:
    • A Whaling attack targets high-level executives and top management.
    • Like Spear Phishing but with a focus on senior executives
    • Threat actors create highly personalised and convincing emails.
    • The objective is to compromise the accounts of top executives, potentially gaining access to sensitive corporate data and systems.
    • A fraudulent email targeting a CEO, asking for confidential company information, is an example of whaling.
  • Vishing (Voice Phishing):
    • Targeting businesses and individuals by telephone.
    • Attackers use phone calls to impersonate trusted entities, such as banks or technical support teams, to extract sensitive information.
    • The objective is to convince victims to provide personal or financial information over the phone.
    • Examples include a scam call from someone claiming to work at your bank asking for account details.
  • Smishing (SMS Phishing):
    • Smishing targets individuals via text messages.
    • The attackers send fraudulent SMS messages containing links or phone numbers to trick recipients into revealing personal or financial information.
    • The objective is to obtain sensitive information.
    • Smishing is like phishing but using text messages instead of email.
    • A recent observed example is a text message claiming to be from a delivery service asking someone to make a payment to complete a package delivery.
  • Tailgating – gaining physical access to a restricted area by following someone with legitimate access to circumvent access control measures. This technique takes advantage of human nature and common courtesy – it is considered polite to hold doors open for people and extremely rude to close a door in someone’s face, especially when we can see they are behind us. Countermeasures include:
    • Implement robust access control measures, such biometric scanners, key card entry systems, or employ security personnel, to prevent unauthorised entry.
    • Enforce strict visitor policies, including visitor registration and escort requirements, for anyone not authorised to access a facility.
    • Install surveillance cameras at entry points to monitor access and identify potential tailgating incidents.
    • Implement mantrap systems that allow only one person to enter at a time and require proper authorisation before granting access to the second door.
    • Ensure that identification badges or access cards are visible and prominently displayed by authorised personnel.
    • Educate employees about the importance of not holding doors open for unknown individuals.
  • Baiting – offering something appealing or enticing as a trap to compromise security and steal sensitive information or login credentials. Examples include:
    • Infected USB drives or storage devices are left in public areas, hoping someone will plug them into their computer out of curiosity.
    • Attackers offer free software, movies, music, or other digital content containing malware.
    • Links to fake websites or content that appear attractive or sensational but deliver malware or gather information – covered in previous phishing examples
    • Email attachments that, when opened, execute malicious code or install malware – also covered in previous phishing examples.
  • Pretexting – creating a fictional, convincing, plausible scenario to achieve the desired outcome. The depth of research required will depend on the overall complexity, and the approach could be any of the previous types of phishing or face-to-face scenarios. Pretexting aims to build credibility and a connection with the target. Examples include:
    • Someone pretends to be from IT support and requests access to a computer system, passwords, remote access, or a customer service representative updating account information and payment details.
    • The creation of an emergency or crisis to manipulate the target into providing information or assistance
    • Calls about fictitious jobs to extract information about previous employers or contact details of referees
    • Consider a block of flats, and someone needs access to one. They could use the doorbell for other apartments and say they have a parcel to deliver and that their doorbell isn’t working; also, they don’t want to leave it outside as it’s raining or on a busy road, nowhere secure. The story would sound convincing enough for a stranger to gain access to the building.
    • A more common pretexting scenario is with street beggars needing money to buy drugs or alcohol.
  • Dumpster Diving – searching through rubbish bins to find discarded items of value. The most significant concern is the recovery of discarded documents and materials containing sensitive or confidential information. Criminals may search for documents containing personal information to steal identities or commit fraud, or competing businesses may want to find proprietary information or trade secrets. Countermeasures include:
    • Businesses and individuals should use cross-cut shredders to destroy sensitive documents before disposal.
    • Where available, use secure containers to dispose of sensitive materials.
    • Establish and follow document retention and disposal policies to reduce the quantity of sensitive information that someone could find in rubbish bins.
    • Securely delete data from electronic devices before disposal.
  • Tech Support Scams – attackers claim to be from technical support teams and convince victims that their computer is infected, leading them to give remote access or pay for unnecessary services.
  • Fake Job Adverts – scammers advertise fictitious job vacancies that appear legitimate with attractive salaries, benefits, and working conditions to collect data on many applicants.
  • Rogue Software or Scareware – tricking users into downloading and installing malicious software by presenting it as legitimate software. An example is a deceptive pop-up message reporting the detection of viruses, system errors, or other security threats. It is a scare tactic that results in users downloading software to fix the problem, which may introduce more problems.
  • Romance Scams – fraudsters build emotional connections to exploit trust for financial gain.
  • Prize Scams – fraudsters tell their victims they’ve won a prize, but to claim it, they must provide personal information or pay administrative fees or taxes.
  • Invoice Fraud – attackers impersonate suppliers to trick businesses into making payments to fraudulent accounts.
  • Shoulder Surfing – physically looking over someone’s shoulder to steal information like credit card numbers, passwords, and PINs.

Here are a broad range of countermeasures that you can apply to a variety of different types of attack and help to develop a security mindset:

  • Always verify the identity of people requesting sensitive information or requesting that you take action.
  • Consider if requests are reasonable given the circumstances or if the request deviates from standard practices or basic common sense.
  • Share the minimum amount of personal or sensitive information necessary only when legally required.
  • Train employees to recognise and report suspicious requests.
  • Use Multi-Factor Authentication to add additional security to access sensitive systems.
  • Establish clear policies and procedures to verify requests for sensitive information and ensure employees follow them.
  • Curiosity killed the cat – be sceptical of offers that seem too good to be true, especially from unknown or unverified sources.
  • Use up-to-date anti-malware software to detect and block malicious content.
  • Regularly back up important data to mitigate the impact of successful attacks.
  • Turn off the auto-run feature for external devices and drives to prevent the automatic execution of malicious code.
  • Avoid distractions and be mindful of when people intentionally try to take your attention away from common sense.
  • Don’t be in a hurry to take action. The creation of a sense of urgency is a common tactic. Take time to think things through properly.
  • Do not reuse login credentials. Use different passwords across multiple accounts.
  • Develop a security mindset and a healthy level of scepticism.
  • Be vigilant with our daily interactions with people and technology.
  • Understand and implement countermeasures to mitigate risks.

Protecting against insider threats

Robert Broxup

When discussing insider threats, we refer to security risks posed by individuals within businesses with access to sensitive data and systems – intentionally or unintentionally, misusing the access and compromising security.

These threats can come from employees, third-party contractors, or even disgruntled business partners. Insider threats are particularly challenging to detect and prevent because insiders often have legitimate access to systems and data. Segregating duties within businesses is a crucial countermeasure as it forces collusion (less likely to happen if fraud requires more than one person).

I considered writing this article while reminiscing over my days at the University of Teesside (now rebranded as Teesside University). In the first semester back in 1993, our class was broken into teams of 4 or 5 and given topics to research and prepare a 30-minute presentation; ours was computer crime.

I recall concluding with the importance of hiring trustworthy staff. I referred to Gus Gorman, played by Richard Pryor in Superman III, who collected all the ½ cents from everyone’s salary after rounding down to the nearest cent. He added them to his salary and bought himself a new car. Background checks are at the top of my list of countermeasures, including verification of the following:

  • Employment History – the investigation into employment history will vary from role to role. At a minimum, it must include verification of the start and end dates of employment, job titles, and responsibilities. Speaking with referees will add additional insights such as:
    • Validation of candidate claims such as achievements and awards
    • Overall attendance records
    • Reason for leaving
    • Job performance
  • Academic qualifications and professional certifications – academic institutes, professional bodies, and product vendors offering degree courses, certificates or certifications allow a third party to verify a candidate’s claim, either online or offline. If the human resources onboarding process involves these checks, someone is unlikely to lie about qualifications and get away with it.
  • Financial checks – it may seem unfair to deny or deprive someone of an opportunity for work because they have poor finances; the job itself would probably make their problems disappear. However, from a risk perspective, hiring someone with significant financial issues could leave them susceptible to accepting bribes or open to blackmail in cases where someone could lose their job if their employer found out about large debts.
  • Disclosure and Barring Service (DBS) – these checks differ depending on the role. Most employment opportunities should only require a basic DBS check, but positions involving children involve a more comprehensive background check. Depending on the type of check, the DBS check returns details of an individual’s criminal record, including spent and unspent convictions, cautions, and any reprimands or final warnings. The DBS certificate can also include soft intelligence held by police that they consider relevant to the role.

Hiring the right people is at the top of my list, but:

  • The wrong people might still slip through the net.
  • The right people can still become disgruntled over time.
  • People do become disillusioned or disenfranchised over time for many reasons.

We must consider a more comprehensive suite of countermeasures to mitigate insider threats. Here is a selection:

  • Training and awareness – implement a security awareness programme that:
    • Includes educating employees about the risks of insider threats
    • Encourages reporting of suspicious activities
  • Access control
    • Implement strong access controls.
    • Use the Principle of Least Privilege (PoLP) to limit access to systems and sensitive data based on job role and need to know/access.
    • Implement Privileged Access Management (PAM) to control and monitor privileged access.
    • Enable Multi-Factor Authentication (MFA) for access to critical systems and data.
    • Immediately revoke access to systems when employees leave the business.
    • Control physical access to sensitive areas within the business.
    • Conduct regular use access audits.
  • User activity monitoring – log and monitor user activities to detect suspicious or unauthorised behaviour. Consider using behavioural analysis tools to identify unusual behaviour patterns.
  • Data Loss Prevention (DLP) – deploy a DLP solution to monitor and restrict the movement of sensitive data.
  • Segregation of Duties – prevent errors and fraud by ensuring that no individual controls all aspects of any critical financial or operational process. As mentioned earlier, segregating duties forces two or more persons to conspire to carry out fraudulent activities, reducing the risk of it happening.

There is no single countermeasure to provide complete protection against insider threats. An effective strategy involves a combination of:

  • Technical solutions
  • Employee education and reporting suspicious activity
  • Proactive monitoring
  • Auditing control effectiveness and strengthening countermeasures

Psychological support also plays an essential role in preventing insider threats, and any number of personal difficulties could be a trigger that leads to malicious behaviour.

Proliferation and mitigation of Shadow IT

Robert Broxup

Shadow IT is the use of unsanctioned systems and technology:

  • Individual employees or departments typically adopt it to meet a specific need.
  • It is introduced to enhance productivity or to resolve immediate problems and challenges but gradually becomes embedded into the business.
  • The deployment bypasses a formal IT procurement and approval process.
  • Often, it becomes part of a business-critical process without awareness within the IT or Information Security departments.
  • Documentation is not always readily available, if it exists at all.

The proliferation of Shadow IT introduces many risks:

  • Information security is a significant concern with Shadow IT as unapproved software and services may not adhere to the implemented security standards and leave data vulnerable to cyber-attacks.
  • Shadow IT can result in non-compliance with industry regulations and legal requirements, leading to fines and reputational damage. Uncontrolled IT systems could, for example, bypass data retention policies.
  • The IT and Information Security departments lose visibility and control over technology, and that can disrupt troubleshooting, security monitoring, and ongoing maintenance.
  • Unsanctioned IT solutions can lead to unexpected expenses such as:
    • Needing to find specialised skills because of staff turnover
    • Replacing the system with an approved alternative
    • Integrating processes into existing solutions
  • When employees use unapproved software tools, it can lead to:
    • Information stored in multiple locations without managed data backups
    • Data fragmentation or data loss, and consequently, the use of incorrect versions of data or incomplete data sets to make decisions.

Countermeasures for addressing Shadow IT include:

  • Raise awareness throughout the business about the risks to ensure employees understand the importance of IT policies and procedures.
  • Develop and communicate clear IT policies and guidelines for requesting new software solutions.
  • Implement IT governance that involves key stakeholders in the decision-making process for IT purchases.
  • Maintain an inventory and assess the IT environment to identify unauthorised software or services.
  • Work closely with business units to understand their needs and make it easier for employees to use approved alternatives that fulfil their requirements.
  • Encourage open communication between IT and other departments to understand their needs and challenges.
  • Implement robust security measures to mitigate Shadow IT risks.
  • Provide training and support for employees in using approved IT solutions to reduce the motivation to seek or develop unauthorised alternatives.

QR Code Threats: Quick Response or Quick Risk

Robert Broxup

QR codes (Quick Response) are not new but have become extremely popular over the last several years. Sadly, as technologies and human behaviours evolve, so do the risks as fraudsters often adapt faster. QR code creators convert this information into binary and display it as a pattern of squares and spaces; a square barcode. QR code readers do the reverse, converting the binary into usable information. Businesses use this technique and technology for many legitimate purposes, but unfortunately, scammers can also misuse it for fraudulent activities. This article explores the risks and countermeasures.

  • Phishing – Scammers can create QR codes linking to fake websites that mimic legitimate businesses in much the same way phishing emails include links to fraudulent sites. Scanning the QR code may unknowingly provide fraudsters with sensitive information. E.g., login credentials and credit card numbers.
  • Malware – QR codes can link to websites with malicious content, such as viruses and spyware. Again, this is similar to what happens with phishing emails, but with a difference: you are looking at a square barcode rather than at a link. The link information will not be available until your scanner reads the code.

There are many legitimate uses of QR codes, and it would be a shame if the fraud discourages businesses from using the technology and realising its benefits. Protecting yourself from becoming a QR code fraud victim requires examining the context and situation in which you use them.

Here are some detailed examples and scenarios to illustrate how the technology is in use, how fraudsters target their unsuspecting victims, and countermeasures, which primarily involve being more mindful and taking extra precautions when scanning:

  • Business cards, product packaging, and printed advertisements – linking directly to websites to allow quick access to product and service information
  • Utility bill payments
  • Airline tickets
  • Cinema or theatre tickets, concerts, conferences, or other venues that facilitate paperless entry
  • Contactless payments through Google Pay, Apple Pay, or any number of mobile banking applications
  • QR codes at tourist attractions to link through to historical information or provide current map locations
  • Labelling equipment, spare parts, and other warehouse items makes it practical for supplier chain, inventory management and tracking products from production to distribution – the QR code originates from labelling car parts in Japan.
    • The Universal Product Code (UPC) Barcode consists of 12 digits and often needs multiple barcodes to capture the required information.
    • QR codes provide the capacity to store significantly more data – 3 kilobytes.
    • The quantity of useable information differs depending on the data type – numeric, alphanumeric, binary, or Japanese.
  • Patient wristbands to provide quick access to critical health information in hospitals
  • Emergency contact information
  • Restaurant menus, ordering and bill payment

General countermeasures to help protect you against QR code fraud include:

  • Don’t scan QR codes from sources you don’t trust
    • Verify the origin and legitimacy of QR codes
    • Use official websites and apps from reputable companies.
    • Avoid scanning QR codes if you have never heard of the company
    • Avoid scanning QR codes from unsolicited sources
  • Be suspicious of unsolicited QR codes received via email, text messages, or social media, as these are unnecessary:
    • Scammers use these channels to distribute malicious QR codes
    • Businesses would never need to send the information through a QR code; they would send readable text and links through these channels.
    • The exceptions include, for example, QR codes for train tickets, theatre tickets, airline tickets, or other events in the future where the QR code allows paperless entry but would be in response to making a purchase and not unsolicited.
  • Examine QR codes closely before scanning. Look for any signs of tampering; if anything looks suspicious, don’t scan the code. Consider:
    • Anything that looks like an alteration or anything added
    • If someone has placed a new QR code sticker over an original
  • Check the web address before entering personal information or making payments, and make sure it matches the business’s official website.
  • Keep operating system and application software up to date as developers frequently release new updates to address security vulnerabilities.
  • Install reputable antivirus or anti-malware software to help detect and prevent malicious software.

The above list is not exhaustive, and it is necessary to change your mindset when using this kind of technology and develop a healthy level of suspicion. As with all types of fraudulent activity, QR code fraud is evolving; therefore, staying informed and being cautious to protect yourself and your personal information is essential.

Here are some scenarios and consequences:

  • Restaurant bill payments
    • A scammer adds a QR code sticker over the original on a restaurant menu
    • The customer scans the code and visits a fake restaurant website
    • The customer pays the restaurant bill to a fraudster
    • The restaurant may challenge the customer when they get up to leave, or it may involve authorities at a later date
  • Fake event tickets
    • Fraudsters use a fake website to sell tickets to a popular event and deliver the tickets with QR codes to unsuspecting victims.
    • The ticket website and the tickets look convincing and official
    • The customer is unaware of any problems until they are unable to gain entry to the event
  • Restaurant orders with upfront payments
    • A scammer covertly swaps official menus with a reproduction containing a different QR code that directs the customer to a convincing website copy.
    • The customer places an order for food and makes a payment
    • The food never arrives
    • The customer complains and provides evidence of payment
    • The restaurant apologises and delivers the food, and suffers a loss in reputation through negative word of mouth
  • Parking tickets
    • A scammer places a QR code sticker over the top of the original code
    • An unsuspecting  driver scans the QR code to buy their parking ticket
    • Scanning the code directs the driver through to a fake car park payment website, enters payment details along with the car registration number
    • The site sends a text message confirming receipt of payment and the valid duration of their parking
    • The car parking attendant, traffic warden, or Automatic Number Place Recognition (ANPR) identifies the vehicle as parked without payment
    • The driver receives a fine in the post, and the process to challenge such fines is complex, time-consuming, and, in some cases, more expensive than paying the fine and moving on
  • Free parking – a variation on the previous parking ticket example
    • A scammer prints posters and places them in free-parking areas
    • The parking tariff and payment instructions look official and well-presented, but they are fake
    • Drivers park up, pay for parking, and receive a confirmation email or text message
    • The scammer takes the money, and the driver is unaware of what has happened
  • Train travel – 20 days for the price of 2 days – this example illustrates where passengers avoid paying their fares, which takes advantage of poor staffing levels on some routes and the absence of ticket gates at many stations. In this example, the traveller needs to commute every day. In this case, the unexpected victim is the train company.
    • For day one, the traveller purchases two return tickets using an official ticket website such as Train Line. The 1st is an open-return ticket from Station A to Station B, and the 2nd is an open-return ticket return from Station B to Station A
    • On day one, the traveller uses the outbound portions of both tickets for the outbound and return journey. On this day, it doesn’t matter if there is an unexpected ticket inspection as they are only valid for one day.
    • On day two and subsequent days, the traveller uses the return portion of the 2nd ticket for their outbound journey and the return portion of the 1st ticket for their return journey. Both return portions are valid for 30 days.
    • If a ticket inspector scans the QR code, it will no longer be valid for subsequent travel on the journey. The traveller can buy a replacement open return ticket and continue.
    • Accepting the losses is likely cheaper than increasing the workforce and ticket gates for the train operators and stations.

To conclude, you should be careful when using QR codes and exercise the same level of caution, scepticism, and suspicion as when you receive social media messages, text messages, or unsolicited emails containing website links.