What is Social Engineering?

  • Social engineering is the art of manipulating, influencing, or deceiving you in order to gain control over your computer system. The hacker might use the phone, email, snail mail or direct contact to gain illegal access. Phishing, spear phishing, and CEO Fraud are all examples.

  • Hackers use a combination of pretexting, baiting, water-holing, CEO Fraud and other techniques to lure employees for systems and assets to be compromised. Improve your security posture immediately by better understanding the risk and with targeted additional training for specific employees that may be vulnerable to such attacks.

Social Engineering Services

  • Customized phishing campaigns to identify % of phish-prone users.
  • Targeted end user security awareness training to reduce risk from phish-prone users.
  • Development of tailored phishing, vishing, pretexting, CEO Fraud campaigns to understand business risk.
  • Detailed reports that describe findings from social engineering campaigns.
  • Access to security awareness emails for compliance with mandates such as HIPAA, CCPA, GDPR.

Ransomware

  • Ransomware denies access to a device or files until a ransom has been paid.
  • Ransomware for PC's is malware that gets installed on a user’s workstation using a social engineering attack where the user gets tricked in clicking on a link, opening an attachment, or clicking on malvertising.
  • Ransomware is a devastating type of malware with global damage projected to cost organizations $20 billion by 2021.

Phishing

  • Phishing is the process of attempting to acquire sensitive information such as usernames, passwords and credit card details by masquerading as a trustworthy entity using bulk email which tries to evade spam filters.
  • In April of 2020, phishing emails related to the coronavirus continue to run rampant. Popular themes include stimulus checks, fake CDC warnings, working from home, Netflix scams, fines for coming out of quarantine and many more.
  • The attackers are using phishing kits that impersonate email services like Google’s G Suite or Microsoft’s Office 365 in order to compromise corporate email accounts.

Phishing Techniques

Phishing Techniques

Mobile phishing attacks have increased by 85% every year since 2011.

Phishing vs. Spear Phishing

phishing table

Cyber Resilience In the 2020s

  • Cybercriminals ramped up COVID-19 related phishing attacks over 667%, March 2020.
  • Out of nearly 2,400 reported data breaches, over 1000 – 45.5% – of attacks were initiated by a phishing attack.
  • More than 90% of successful hacks and data breaches start with phishing scams.
  • Healthcare and Pharmaceutical organizations had the highest percentage of phishing attacks at 44.7%.
  • The overall Phish-Prone Percentage (PPP) average across all industries and size organizations was 37.9%.

Phishing Techniques

Spear phishing is an email targeted at a specific individual or department within an organization that appears to be from a trusted source. It's actually cybercriminals attempting to steal confidential information.
The same email is sent to millions of users with a request to fill in personal details. These details will be used by the phishers for their illegal activities. Most of the messages have an urgent note which requires the user to enter credentials to update account information, change details, or verify accounts.
  • Vishing is the phone's version of email phishing and uses automated voice messages to steal confidential information.
  • These attacks try to trick an employee into giving out confidential information via a phone call.
  • Vishing attacks use a spoofed caller ID, which can make the attack look like it comes from either a known number or perhaps an 800-number that might cause the employee to pick up the phone.
  • Vishing often uses VoIP technology to make the calls.
  • Vishing attacks can be focused on all employees, or against employees that mainly deal with people outside the organization. Departments like the help desk, PR, Sales, and HR are good to include in vishing security tests.
Phishing conducted via Short Message Service (SMS), a telephone-based text messaging service. A smishing text, for example, attempts to entice a victim into revealing personal information via a link that leads to a phishing website.

5 HIPAA Rules Regarding Text Messaging

  • Establish procedures and policies to manage who is authorized to access PHI when texting.
  • Implement audit and reporting controls for HIPAA compliant texting.
  • Ensure PHI is not improperly changed or destroyed during texting.
  • Provide proof of identity before sending and receiving messages.
  • Guard against unauthorized access of PHI during transmission.
Learn More

  In the News

Connect with ecfirst at the Defense TechConnect Innovation Summit, Washington, DC, November 28, 2023

  Events

Webinar—Beyond NIST, CMMC Certification: Fusion and Future, October 30, 2023

  Thought Leadership

Ali Pabrai, MSEE, CISSP (ISSAP, ISSMP), HITRUST Certified CSF Practitioner (CCSFP) is the chief executive of ecfirst, an Inc. 500 business. He is a highly regarded information security and regulatory compliance expert.