<sub id="1p77b"></sub>
<sub id="1p77b"></sub>

<sub id="1p77b"></sub>

<address id="1p77b"><var id="1p77b"></var></address>

<sub id="1p77b"><dfn id="1p77b"></dfn></sub>
<address id="1p77b"></address>

        <address id="1p77b"></address>

        <sub id="1p77b"><var id="1p77b"></var></sub>

          Social Engineering Header_v3

          Social Engineering

          Social engineering attacks include phishing, spear phishing, CEO fraud, ransomware and more. Learn about different attack methods and how you can manage this ongoing problem.

          Watch the Video

          What is social engineering?

          Social engineering is the art of manipulating, influencing, or deceiving you in order to gain control over your computer system. The hacker might use the phone, email, snail mail or direct contact to gain illegal access. Phishing, spear phishing, and CEO Fraud are all examples.

          How dangerous is it?

          “…Many of the most damaging security penetrations are, and will continue to be, due to Social Engineering, not electronic hacking or cracking… Social Engineering is the single greatest security risk in the decade ahead.” — Gartner, 2010

          Social Engineer

          OK, so who are these people? It could be a hacker in the USA who is out to do damage or disrupt. It could be a member of an Eastern Europe cybercrime mafia that is trying to penetrate your network and steal cash from your online bank account. Or, it could be a Chinese hacker that is trying to get in your organization’s network for corporate espionage. 

          Video AMA with Kevin Mitnick on all things Social Engineering

          KnowBe4's Chief Hacking Officer, Kevin Mitnick, sat down with our team for an exclusive interview where we could ask him anything. We thought you’d like to hear his answers, too. Ever wonder what he thinks about social engineering and pen testing, how he got into the business, why he works with KnowBe4? Find out now, it's 7 minutes well spent!


          Top 10 Techniques Used By Social Engineers

          Understanding the different attack vectors for this type of crime is key when it comes to prevention. This is how the bad guys do it:


          An invented scenario is used to engage a potential victim to try and increase the chance that the victim will bite. It's a false motive usually involving some real knowledge of the victim (e.g. date of birth, Social Security number, etc.) in an attempt to get even more information.

          Diversion Theft

          A 'con' exercised by professional thieves, usually targeted at a transport or courier company. The objective is to trick the company into making the delivery somewhere other than the intended location.


          The process of attempting to acquire sensitive information such as usernames, passwords, and credit card details by masquerading as a trustworthy entity using bulk email which tries to evade spam filters. Emails claiming to be from popular social web sites, banks, auction sites, or IT administrators are commonly used to lure the unsuspecting public. It’s a form of criminally fraudulent social engineering. Also see Spear Phishing.

          Spear Phishing

          A small, focused, targeted attack via email on a particular person or organization with the goal to penetrate their defenses. The spear phishing attack is done after research on the target and has a specific personalized component designed to make the target do something against their own interest. Here is more about how they do it.


          This technique takes advantage of websites people regularly visit and trust. The attacker will gather information about a targeted group of individuals to find out what those websites are, then test those websites for vulnerabilities. Over time, one or more members of the targeted group will get infected and the attacker can gain access to the secure system.


          Baiting means dangling something in front of a victim so that they take action. It can be through a peer-to-peer or social networking site in the form of a (porn) movie download or it can be a USB drive labeled “Q1 Layoff Plan” left out in a public place for the victim to find. Once the device is used or malicious file is downloaded, the victim’s computer is infected allowing the criminal to take over the network.

          Quid Pro Quo

          Latin for 'something for something', in this case it's a benefit to the victim in exchange for information. A good example is hackers pretending to be IT support. They will call everyone they can find at a company to say they have a quick fix and "you just need to disable your AV". Anyone that falls for it gets malware like ransomware installed on their machine.


          A method used by social engineers to gain access to a building or other protected area. A tailgater waits for an authorized user to open and pass through a secure entry and then follows right behind.


          A trick that makes men interact with a fictitious attractive female online. From old spy tactics where a real female was used.


          Also Rogue Scanner, rogue anti-spyware, rogue anti-malware or scareware, rogue security software is a form of computer malware that deceives or misleads users into paying for the fake or simulated removal of malware. Rogue security software, in recent years, has become a growing and serious security threat in desktop computing. It is a very popular and there are literally dozens of these programs.

          Free Tool: Phishing Reply Test

          How many of your users will take the bait and reply to a social engineering attack?
          Did you know that 60% of spoofed email attacks do not include a malicious link or attachment? KnowBe4's new Phishing Reply Test makes it easy for you to check to see if key users in your organization will reply to a highly targeted social engineering attack, before the bad guys do.

          Test Your Users


          Real-World Examples


          A classic example is the tech support scam, and it comes in many varieties and levels of sophistication.

          Over the past few years online service providers have been proactively messaging customers when they detect unusual activity on their users' accounts. Not surprisingly, the bad guys have used this trend to their advantage. Many of the emails are designed poorly with bad grammar, etc. but others look legitimate enough for someone to click if they weren't paying close attention.

          Consider this fake Paypal security notice warning potential marks of "unusual log in activity" on their accounts:

          Paypal Phishing Security Notice

          Hovering over the links would be a dead giveaway that this is a phishing email, but enough targeted users click without thinking and scams like this continue. 

          Spear Phishing

          In a spear phishing attack, threat actors use a deep knowledge of the potential victims to target them, and that approach allows them to tailor the attack. These emails are more convincing and harder to detect than regular phishing emails. The attacker knows exactly who and what they're targeting.

          Unlike mass phishing emails which may be attempting to distribute ransomware or gather individual login credentials to make a quick buck, spear phishers are normally after confidential information, business secrets, etc.

          CEO Fraud

          Here's an example of a CEO fraud attempt targeted at a KnowBe4 customer. She received an email from an individual purporting to be the president of the company. The employee initially responded, then remembered her training and reported the email via our Phish Alert Button, alerting her IT department to the fraud attempt.

          When the employee failed to proceed with the wire transfer, she got another email from the bad guys, who probably thought they had her fooled:

          CEO Fraud Phishing

          Because this employee had gone through proper security awareness training, she was able to keep her company out of the headlines. This was a close call though, and not everyone is that lucky!

          Social Media

          Cybercriminals create bogus profiles on social media and try to trick you. They will impersonate a celebrity or one of your friends or colleagues. These profiles look very much like the real thing, and it’s easy to get tricked. They try to impersonate a celebrity that the bad guys already know you like a lot.

          Let’s say you were tricked into believing a bogus Social Network profile. The next step is that they try to make you click on a link or install malicious software, often something to watch a video or review photos. If you click, or do that install, it’s highly likely you will infect your desktop with malware that allows the attacker to take over your PC.


          Did you know, on average 45% of your users will plug in unknown USBs...

          Download our special, "beaconized" file onto any USB drive, then label the drive with something enticing and drop at an on-site high traffic area. If a user picks it up, plugs it in their workstation and opens the file, it will "call home" and report the "fail" to your KnowBe4 console. Also get reporting on opens and if macros were enabled. Find out now how your users will react!

          Test Your Users


          You may have heard of Norton antivirus, published by Symantec. The technical director of Symantec Security Response said that bad guys are generally not trying to exploit technical vulnerabilities in Windows. They are going after you instead. “You don’t need as many technical skills to find one person who might be willing, in a moment of weakness, to open up an attachment that contains malicious content.” Only about 3% of the malware they run into tries to exploit a technical flaw. The other 97% is trying to trick a user through some type of social engineering scheme. This means it does not matter if your workstation is a PC or a Mac. The last line of defense is… you guessed it: YOU! 


          Examples of each factor in the threat landscape: 


          ? Phishing
          ? Spear phishing
          ? CEO fraud (aka Business Email Compromise or BEC)

          Social Media and Internet

          ? Reconnaissance
          ? Fake friends
          ? Watering hole attacks
          ? Use of breach data


          ? Ransomware
          ? Pseudo-ransomware
          ? False flag operations
          ? Extortion
          ? Automation
          ? Search result poisoning

          Criminal Groups

          ? Malicious insiders
          ? Organized crime
          ? Hacktivists
          ? Nation states
          ? Terrorists

          Attack Vectors

          ? Physical on-site attacks
          ? Endpoint
          ? Mobile
          ? Network
          ? Cloud
          ? IoT

          Scary New Threats in 2019

          First, a look back at prevailing 2018 trends & observations:  

          1. Antivirus died in 2018. IT Pros are moving to (free) Win10 Defender in droves. 
          2. GDPR came into being and the ramifications are not yet fully known.
          3. Trojans jumped to the top of the malware list. The most dangerous sign is the unfolding merger of trojans and phishing emails that amplifies the spreading of the malware.
          4. Ransomware declined in volume but got more focused and highly damaging. 'Spray-and-pray' attacks declined, attacks are now more targeted.
          5. Crypto-ransom infections started out in high volume but declined over the year because of the continuing e-currency crash.
          6. The combination of spam and phishing have kept at the same percentage levels (around 60%), however phishing slice of the pie increased, and has gotten significantly more sophisticated.
          7. CEO Fraud—aka Business Email Compromise—took flight in 2018 and shows no signs of abating. These attacks are particularly difficult to defend against because they don't contain malicious attachments or links.

          So what are the predictions for 2019?

          AI (Artificial Intelligence): 

          • AI -based attacks will increase attacker capabilities and scale. Hearing about AI -driven attacks will become the new norm.
          • There will be more targeted AI -driven fake news intended to cause disruption and societal chaos. 
          • 2019 will see the first AI -driven phishing attack at scale (20m+) – which will consist of highly personalized laser phishing, with an all-time high click-through rate of more than 50%.
          • Dedicated AI-enabled chips will get released this year, relying on specialized processors.
          • AI and IoT will find each other at the edge computing layer. Think deep neural networks dealing with NLP servicing tech support calls.
          • Neural Networks will learn how to talk to each other. The Open Neural Network Exchange will allow this interoperability. (See ONNX)
          • NBA (New Buzzword Alert) “DevOps” is already obsolete, it’s “AIOps” for 2019!

          Quantum computing: 

          • Quantum computers outperforming traditional, binary, computers will happen in 2019.
          • The incredible advancements made in quantum computing on a routine basis are going to make 2019 the year of the ultimate digital crossing-the-rubicon.
          • This may or may not also be coupled with enough quantum accuracy to make anything traditional public key crypto (e.g. RSA, Diffie-Hellman, etc.) protects suddenly not protected. A decade later the NSA will tell us they had done this years before the public knew about it.

          Laws & Regulations: 

          • A wave of huge GDPR fines will impact North American companies operating in Europe.
          • National Privacy Law will be created, and we will hate it.
          • 2019 will be the first year that legislation will be signed into law requiring at least yearly security awareness training combined with frequent social engineering tests.

          Data-Level Attacks

          • Data exfiltration will become the new hot topic - There is value in data, and immense amounts of data are being collected by both the private and public sectors. Attackers will not only continue to ransom data for recovery, but will also find creative ways to exfiltrate data then demand a ransom for its destruction, or keep silent about the fact that they exfiltrated the data in the first place. As more and more executives are being held responsible for breaches, and as company valuation is impacted negatively, it is becoming more important for them to avoid this sort of disclosure. The bad guys know this and will exploit it.
          • Data Integrity Attacks - On a related topic, several experts are predicting that data integrity attacks are going to be a big deal soon...where attackers, unknowingly to the victim, modify critical data so that the desired outcome is not reached. And the system owners or stakeholders can't rely on the system until they are able to restore the data to a known clean state.

          Geo-Political Turmoil: 

          • AI will increasingly be used to find and suggest new ways to exploit users and situations.
          • Algorithms are already ruling the world. The future of computer security and hacking are competing algorithms which simultaneously war against each other in a digital battle of good vs. evil. Taking advantage of the improvements in AI, humans will have less and less involvement in their security consoles. Basically, once set up they take over and do a better job defending networks and computers than those that have a more hands-on approach. The computer scientists who perfect these algorithms are the rock stars of 2019 and beyond. 
          • Escalated Fake News: Continued creation of fake news stories to drive division and behavior as 2020 US Presidential hopefuls declare their candidacies
          • Presidential Data Leak. The US President's unwillingness to use more secure devices will lead to one of the most embarrassing political data leaks of all time.
          • Playing the Blame Game: Nation -to -Nation false flag attacks.
          • GRU Gone Wild! The WannaCry damage will be nothing compared to new zero -day destructive malware that will be unleashed by the GRU on Ukraine but escape into the world at large and wreak havoc.

          Ransomware, Pseudo Ransomware, and Sextortion:

          • More Ransomware and Pseudo-Ransomware: What works, stays. Expect to see more of both of these because they create immediate fear and situations that people need to react to. The feeling of loss or potential loss motivates people and can often bypass logic and reason. Also, more cryptomining in disguise.
          • More sextortion schemes that leverage past data breaches, current social network scraping, and more to create scary scenarios for those on the receiving end. In many ways, this is social engineering at a new devious low and recently got combined with GandCrab ransomware.
          • Ransomware attacks have been less prevalent in the news as the year has progressed, however, it doesn't mean they are stopping, they just aren't as newsworthy. Expect to see another ransomware attack, similar in size and scope as NotPetya and WannaCry, that will be different enough, have new enough capabilities, or cause enough damage to put ransomware back on the front page. The attackers have been working hard to find a new attack vector and got used to big paydays. They aren't going away any time soon.

          How Bad Guys Can Hijack Your Accounts

          Can hackers spoof an email address of your own domain?

          Are you aware that one of the first things hackers try is to see if they can spoof the email address of your CEO? This type of social engineering attack difficult to defend against because they don't contain malicious attachments or links.

          Try To Spoof Me!


          How can you prevent attacks?

          We've pulled together some resources to help you defend against social engineering attacks. A good place to start is ensure you have all levels of defense in depth in place. Keep reading below to find out how you can make yourself a hard target, get additional content for yourself and your users and stay up to date with social engineering in the news via our blog.

          Social engineering attacks, including ransomware, business email compromise and phishing, are problems that can never be solved, but rather only managed via a continued focus on security awareness training. Watch this video interview with Stu Sjouwerman as he explains why this is an ongoing problem and the steps required to manage it: 

          1. Start with a baseline phishing security test to assess your organization's baseline Phish-prone? percentage
          2. Step users through interactive, new-school security awareness training
          3. Run frequent simulated social engineering tests to keep users on their toes with security top of mind


          10 Ways To Make Your Organization A Hard Target 

          You could spend a fortune purchasing technology and services, and your network infrastructure could still remain vulnerable to old-fashioned manipulation.”
          — Kevin Mitnick


          Have your users made you an easy target for social engineering attacks?

          Many of the email addresses and identities of your organization are exposed on the internet and easy to find for cybercriminals. With that email attack surface, they can launch spear phishing, ransomware and other social engineering attacks on your users. Our Email Exposure Check identifies the at-risk users in your organization.

          Get Your Free Report

          Social Engineering Tip Sheets 

          These infographics will show your users what to watch out for in emails as well as on mobile devices. We recommend you print these out, they are great at-desk reminders!

          On-Demand Webinars

          The Social Engineering Battlefront

          The Social Engineering Battlefront

          There is one constant in the security world: attackers continue to evolve their methods as the defenders find ways to thwart social engineering attacks. Get an analysis of hacker methods as well as practical advice to help protect your organization.

          Watch Now

          Exposing the Dirty Little Secrets of Social Engineering

          Exposing the Dirty Little Secrets of Social Engineering

          Kevin Mitnick and Perry Carpenter share social engineering insights and experiences. These will help you defend against social engineering threats posed by the bad guys and keep them from manipulating your unsuspecting users.

          Watch Now

          10 Incredible Ways You Can Be Hacked By Email

          10 Incredible Ways You Can Be Hacked By Email

          Email is still the #1 attack vector the bad guys use. A whopping 91% of cyberattacks start with a phishing email, but email hacking is much more than phishing and launching malware! See 10 ways hackers social engineer your users into revealing sensitive data

          Watch Now

          Social Engineering In The News

          Healthcare Industry Names KnowBe4 As The 2019 Top Rated Platform For Cybersecurity Training & Education

          Black Book Market Research LLC surveyed over 2,876 security professionals from 733 provider organizations to identify gaps, vulnerabilities and deficiencies that persist in keeping hospitals and physicians proverbial sitting ducks for data breaches and cy...

          American Nikkei Employee Falls For Social Engineering Scam And Loses 29 Million Dollars

          Phil Muncaster at InfoSec Mag had the (painful) scoop: "Media giant Nikkei has become the latest firm to suffer a humiliating Business Email Compromise (BEC), after it admitted losing $29m to scammers following human error.

          [Heads Up] Scam Of The Week: Phishing Attacks Using Better Benefits And Pay Raise Bait

          Millions of employees use KnowBe4's Phish Alert Button to report suspect emails, and thousands of organizations share these reports with us. This has become a fascinating threat source, because these phishy emails have made it through all the filters. We ...

          Get the latest about social engineering

          Subscribe to CyberheistNews