Some good news for a change. A Kentucky School who lost $3.7 million in a Phishing attack was able to get it back.
The school district, located in Scott County Kentucky (just north of Lexington), lost the money when an email came in claming to be from a vendor who'd yet to receive payment. Once it was opened and the attached malware executed, hackers were able to create a back door directly to the district's bank account and drain its funds.
After partnering with local law enforcement and the FBI to get the full amount back.
Phishing attacks (or rather Social Engineering attacks) that target schools and municipalities have be come more and more prevalent. That said, there are ways to prevent them.
What is Social Engineering?
Social engineering is an attack strategy that relies on manipulating someone to reveal private information via e-mail, social media, the telephone or by physical means.
What are Social Engineering attackers after?
That varies, but it's typically personal identifiable information (PII) or payment card information (PCI) data.
It can be (seemingly) mundane information like your address or birthday to something more substantial like social security number or your online banking account password.
Attackers might even be trying to get into their victim’s computer to install malware that’ll get them all of the information listed above - sometimes without the victim even noticing the software's been installed.
What are some examples of a Social Engineering attack?
Most social engineering attacks happen by email, but they’re not exclusive to that medium. Social engineering attacks can even take place over the phone (as we’ve previously written about here) as well as through a website or even a USB thumb drive.
There are many different variations of social engineering attacks, so I’ve tried to compile a comprehensive list below:
Like I said above, we’ve covered Phishing attacks before. However, it doesn’t hurt to go over what they are here. Phishing attacks are the most common social engineering attack. They’re typically perpetrated using a cleverly created website or support portal that almost precisely recreates that of a famous or well-known business or institution. The attacker reaches out to their target via email or social media and baits them into believing their message is from a reliable source. The victim takes the bait (like a fish would) and compromises their personal information on the fake website.
There are many different kinds of Phishing attacks like Spear Phishing or Pretexting
A subset of Phishing, a Spear Phishing attack requires extra effort from the attacker. Attackers who are attempting a Spear Phishing attack need to specify whom they’re going after, what information they’re trying to collect and how they’ll manipulate the victim into giving that information up. While difficult to perform, a Spear Phishing attack can have a considerably higher payoff should it succeed.
Ever gotten an email from a family member or a friend that seems off? They’re asking you to check out something online or bizarrely asking you for money as they’re somehow stranded in a foreign land, and only you’re their only hope. Well, Obi-Wan Kenobi, that’s what we call pretexting.
Typically the attacker is hoping the victim is a decent human being and will help their friend or family member out. If you don’t like your family or have no friends, the attackers would be out of luck. Unfortunately, human beings are social animals, and we often spring to action to protect or help our own.
We mentioned it above, but Vishing is an example of a social engineering attack that takes place over the telephone. Vishing attacks have become increasingly popular recently. You might have experienced one or two these yourself. Attackers have lately pretended to be from the IRS, and they’re attempting to collect back taxes. Other attackers are claiming to be from Microsoft’s support team and are calling to notify you that your computer has been compromised and they need access to your end-point to rectify the problem.
Vishing attacks are very, very low tech but seem to be incredibly successful. I’ve written previously how to avoid a Vishing attack here.
Baiting is a more physical type of social engineering attack. A Baiting attack capitalizes on our basic curiosity. An attacker might use an everyday item like a USB thumb drive that’s been loaded up with Ransomware and left in an easy to find manner with the hope that someone will pick it up and plug it in.
Heck, humans have been using this attack since the Trojan War. Replace the thumb drive and malware with a large wooden horse and a few Greek soldiers, and you get the idea.
Another physical, social engineering attack. Attackers in this instance try to blend into the crowd to sneak into their target’s place of business. A lot of workplaces today are very security conscious. Electronic door locks, ID badges with RFID chips embedded in them, all technology implemented to keep someone that doesn’t belong out.
These attacks often work for the very same reason the other’s do. The attacker is praying for our fundamental human nature. Someone who dresses the part (suit, tie, etc.) who walks in behind you isn’t necessarily going to raise any alarm bells. It’s highly unlikely you’re looking for their badge in the first place let alone to see if they scanned or tapped it. Once physically inside their victim’s world becomes the attacker’s oyster. There’s no limit to the damage they can cause once they’re inside.
Why do Social Engineering attacks work?
Social engineering attacks work because we’re imperfect creatures. The attackers know this, and they pray on our fundamental human nature to carry out their nefarious schemes. In this world of social media, they know how ready and willing we are to share personal information.
These attackers are trying to leverage our emotions. They know how primally we react to emotional triggers and exploit them accordingly.
How can I stop a Social Engineering attack?
That’s a tough question to answer, but there are a few steps you can take to help prevent these kinds of attacks.
- Slow down and control your emotions - Remember the attacker is trying to manipulate your emotions into making a quick reaction. The more time you take to think about the situation the more likely you’ll start to realize something’s up. We might be animals when it comes to our emotions, but we’re also brilliant. By slowing down, our rational brain allows us to overcome our feelings.
- Think about what you’re reading/seeing - The more time you give yourself for rational thought, the better off you are when it comes to seeing through the attacker’s ruse. Look for things like strange word choices or misspellings. Look for visual clues like off-brand graphics (if it comes from someplace like your bank or a store you frequent). You’re more astute than you might give yourself credit for. If something seems off, it probably is.
- Check to see who sent the message - Email masking is incredibly prominent in today’s world. Most email clients format the sender address so that it’s easier to discern who it’s from. The problem is attackers leverage this. If you’ve got the feeling the message you’re reading isn’t on the level check to see who sent it. If the name is familiar, but the email address isn’t there’s a good chance you’re experiencing a social engineering attack.
- Don’t follow blind links - Links are easy to hide, just like email addresses. If you can’t discern where a web-link is going to send you don’t click on it. Always make sure to hover or right-click on an email link (whatever your email client is set up for) to see where it might send you.
- Be wary of attachments - If you’ve gone through the steps mentioned above, you probably know what I’m going to say here. Don’t download attachments from people you don’t know. Heck, sometimes it’s a bad idea to download attachments from people that you do. Be on the lookout for e-mail attachments that appear to be Microsoft Word or Excel files. They might contain pretty nasty surprises.
In all honesty, it’s not very difficult to escape a social engineering attack. The attacker is relying on you making a snap judgment. If you take a minute or two to pause and reflect on the situation, you should be okay.
If you’re interested in learning more about social engineering attacks or how to avoid becoming the victim of one check out our Security Awareness Training page and send us a message. We’d love to hear from you.
* Discalimer - the horse featured in the blog image has ZERO to do with this story other than the Kentucky Derby was held recently and I have no clue what else Kentucky might be known for.