Social Engineering and Smishing — What You Need to Know

Social Engineering and Smishing — What You Need to Know

October 11, 2017

Authors: 
Pierson Clair, Senior Director | Cyber Security and Investigations, Kroll

In 2016, the FBI reported that U.S. cyber crime losses exceeded $1.3 billion. Many of these cyber crimes could be directly traced to social engineering or phishing campaigns.

Social engineering, or what many call “hacking humans,” is a leading cause of network breaches and unauthorized access to remote systems. It can take many forms, from someone on the phone pretending to be an IRS agent saying you owe back taxes, to emails offering you millions of dollars after you first send a couple thousand dollars to cover related fees. Phishing or spear phishing attacks raise the stakes by using details of your personal and business relationships to trick you into thinking requests are coming from legitimate callers or email senders.

While many people have been duped by these various schemes, public and corporate cyber security awareness campaigns have gone a long way toward helping educate users not to trust unsolicited phone calls and emails. So, when users are smart enough to recognize scam phone calls or to spot and delete fraudulent emails, where do scammers turn next? Why not turn to communicating with people through a device they carry with them every hour of the day? Why not target their cell phone!

What is Smishing?

“Smishing” is the evolution of social engineering whereby phishing or trickery takes place via a text message. Cyber criminals count on human emotions of fear, hope, and curiosity to act on these fake text messages. And with only 160 characters in a text message, users have come to expect brief and impersonal messages on their phones. Following are just a few smishing examples that Kroll has observed across its investigations:

  • An official-looking text message from “your bank” asking you to verify a transaction
  • An official-looking text message from your “phone company” asking if you added a line of service
  • A “financial institution” asking you to validate a piece of personal information, otherwise your account will be locked or frozen
  • A text message saying you won a drawing and have a limited amount of time to respond

How to Spot Social Engineering

One of the many tactics cyber criminals use to defraud people is by spoofing the caller ID, which lends an air of authenticity to their communication. Attackers may also provide a link to a website where the domain name is very similar to a legitimate domain, but perhaps they have substituted a numeral “0” for the letter “O” – things that the normal user reading quickly would likely not catch. These may look like AMAZ0N.com (a zero instead of an “o”) or Netf1ix.com (the numeral 1 instead of an “l”).

Some telltale signs of social engineering are:

  • Pretends to know some publicly available information about you
  • Will try to warn you of something or induce fear or concern about an item/situation
  • Will promise some sort of unrealistic outcome that seems too good to be true
  • Will have some sort of urgency or time sensitivity, applying pressure
  • Will provide information under the guise of authority meant to appear official but that cannot be verified

In a very fast-paced cyber world, protect yourself by slowing down.

Scammers may try to take advantage of friends and family relationships. This is especially true when email or social media accounts are compromised. So, instead of quickly responding to every text, email, or phone call, slow down and follow these best practices:

  • If you’re not face to face with someone, consider adopting the posture of “trust no one” until you are able to verify his or her identity.
  • If you receive a text message that appears to be fraudulent, don’t respond, don’t reply. 
  • If a text message seems weird or abnormal, it probably is. If you have any doubts about the validity of a text message, a phone call, or an email, communicate with the known service provider at a phone number you already know to be good. If it is a bank, call the number on the back of your debit or credit card. If it is a utility, call the number on your bill.

Cyber Security Awareness Month is observed each October in the United States and across Europe. Sponsored by the U.S. Department of Homeland Security and the European Union Agency for Network and Information Security, Cyber Security Awareness Month is designed to raise awareness about the importance of cyber security among organizations and individuals by providing tools and resources to stay safe online and increase resilience in the event of a cyber incident. As the global leader in risk management, Kroll is proud to support Cyber Security Awareness Month by providing actionable insights that help people and organizations on their path to cyber resilience.

Pierson Clair Senior Director, Cyber Security and Investigations

Pierson Clair is a Senior Director in Kroll’s Cyber Security and Investigations practice, based in the Los Angeles office. Pierson brings an uncommon perspective to cyber security challenges from his years as a leading digital forensic examiner, technical security consultant, researcher, and educator. He has conducted extensive academic research at the forefront of cyber security, most currently on changes of investigative significance in Mac and mobile device hardware and software. Prior to this emphasis, he focused on the dynamics within the complex framework of protecting critical national infrastructure as well as intelligence, espionage, and terrorism. In addition to working on analytical projects with members of the Intelligence Community and the U.S. Department of Homeland Security, Pierson has provided sophisticated digital forensic services for a wide range of private sector clients and law enforcement agencies.

Read More

Pierson Clair