“This video is soooo funny. Just click the link and you’ll see what I’m talking about. OMG so cute!”
A personal contact approach is often used when hackers just want you to click the link. Many people don’t think twice about clicking a funny “youtube” link from a friend or relative to lift their spirits at work. But if the email address is unusual, don’t. Besides, why aren’t they sharing it with you on Twitter like usual?
“I need your medical information for my [insurance renewal/school enrollment/new doctor admission forms]. Could you send me those details or docs sometime before noon? Thanks”
It’s not unusual for relatives to need medical information from each other. Hackers may use this to try and access your medical info or the medical info of other family members. This can be used as part of identity theft or to build a more detailed plan later on. Always be cautious about sharing anything that personal during work hours or on work devices.
I’m a Very Important Business Partner and…
Posing as a business partner is an interesting way to approach hacking. It gives the hacker an element of remove (not pretending to have an account or an internal email address) and an element of authority (my business matters to your business). They use this often to push around admin staff or even fool managers onto doing their bidding.
“I need to speak to your most important boss. Could you connect me to them directly without going through the proper channels?”
Social hacking sometimes involves gaining access to someone more important than the target. Either to gather information on them or, sometimes, to pitch them something that would normally never be allowed through.
“Your boss told me to tell you to transfer this money to me right away!”
Hackers may pretend that they have the authority of the targeted employee’s boss and that their business partnership entitles them to a money transfer. They speak with the indirect authority of the boss to convince the target to obey.
“I could have you fired if you don’t obey me. Give me the [account number/sensitive information/names and addresses] that I ask for or you’ll be hearing from your boss’s boss!”
A variation on the angry customer tack is a hacker who pretends to be an angry business partner. Soooo important that they can have you fired in an instant if you don’t break protocol and breach security for them.
“I need to see the highly sensitive documents for the important business merger/project/operation that we’re working on together. Please send them immediately.”
They may even pose as a real business partner that the target knows about and has been working with in order to gain access to the resources being sent between parties. Always double-confirm with your boss any unexpected requests of this nature.
I’m Your Boss / GrandBoss / CEO and…
Posing as a CEO or higher-level manager is known as Whaling and is a popular technique for social engineering hackers. They like to speak with the most authority possible to instill the fear of CEO into their target employee. People who don’t want to second guess their boss, or their boss’s boss (grandboss) may act without thinking when faced with this kind of authority.
“There’s something you need to deal with. Just click this link to find out more”
Another variation on the classic ‘click my malware’ ploy. Many employees will click a link or open a doc from their boss without thinking because it feels like a natural part of working for someone. Proper channels for sharing documents can prevent this very common mistake.
“I need you to send me some money/documents real quick.”
Once again, the hacker is using a sense of authority and urgency to trick a staff member into doing their bidding. Often, the short-but-sweet messages from ‘the boss’ are the most effective because there’s not a story to pick apart. Short messages are also more likely to be used when the hacker has adopted only one level of authority above the target so that short messages may be common in the course of work.
“We’re being subpoenaed! Please open this informative pdf and send all the requested highly sensitive documentation to me through email right away!”
This one is awesomely wicked because it’s unusual and inherently frightening. The threat of legal action is often weighty enough to cause people to act without thinking. In reality, a subpoena or similar legal issues should cause everyone to start walking on eggshells.
“I’m stuck in meetings all day. Please wire this important client/business partner a lot of money and send them some sensitive info. BTW, I’m not available right now to check with. Thanks!”
One of the best defenses a hacker has is to pretend their authority-disguise is essentially unreachable. The “Don’t check with me, your boss” ploy. This is meant to stop the targets from reaching out to the people who could identify and stop the hack attempt.
“I need an emergency [thing you shouldn’t do] and you’re the only one who can help me. Do this and you will get promotions and be Employee of the Month for a year”
Getting an urgent and potentially rewarding task from a boss or grandboss is highly motivating and many people will jump at the opportunity. But in the real business world, few emergency tasks are paired immediately with the promise of reward.
“Your supervisor is out for the day. Can you send me the documents she normally sends me as a reply to this email? Thanks.”
If your supervisor isn’t really out, this reveals itself immediately. But be suspicious of any request to send to “this email” instead of through the normal internal contact list.
—
Once you can get inside the mind of a social engineering hacker, their motives and methods become clear in action. Hackers always target someone they think can be fooled and then use a combination of authority and urgency to push the target into doing their bidding. By using your own combination of email phishing detection and descriptive employee training, your team will be ready to repel any social engineering hack the darknet lobs your way. For more insights on hacker defense, contact us today!
