1: Feign familiarity and/or shorten degrees of separation
Social engineers who work through phone calls typically focus on convincing their targets that they are either a fellow employee (larger businesses are more at risk for this) or an external authority such as an auditor or on-board consultant or analyst. If a social engineer wants information on a specific employee they will frequently contact a different employee within the same company.
The social engineer will try to work through the degrees of separation between their first contact and their target. The targeting of employees starts with more superficial employees such as a receptionist or the guard at the gate who is watching a parking lot.
Social engineers use simple ideas to cozy up to more accessible people in an organization in order to get information about people higher up in the hierarchy.
Perhaps the most common technique is to be friendly. Social engineers pretend they are friends and feign interest in employees and their personal lives. This behavior and interaction leaves employees more open and with their guard down. It frequently does not take long for employees to give information that is plainly privileged and that the employee would be automatically guarded with if a stranger or new acquaintance questioned after said information.
Tactic 2: Learning your corporate language
Every industry has a short hand. A social engineer will study that language and use it in their interactions with employees. This increases trust between the social engineer and their targets. Employees are more willing to give information to someone who uses the initialisms and terms they are used to hearing at work.
Tactic 3: Borrowing your ‘hold’ music
A social engineer intentionally contacts a company through a route that comes with being put on hold. They record the waiting music and then use it to their advantage. When the social engineer calls their intended mark, they talk for a minute and then put the aforementioned mark on hold. The mark hears that familiar company music and thinks the social engineer works for their company. The social engineer is capitalizing on readily available “material” and using to exploit a common psychological cue.
Tactic 4: Phone-number spoofing
The caller ID appears to come from within the company.
Employees are much more likely to give private information such as passwords and other credentials over the phone if the caller ID legitimizes it. This security exploit is often undetectable afterwards as when the number is dialed back it goes to an internal company number.
Tactic 5: Using the news
Social engineers use whatever is in the headlines as lures for scams, phishing, and other assorted attempts at intrusion very frequently. Emails are crafted to trick receivers into clicking links to pages running malicious scripts or pages masquerading as official company websites. Messages are filled with half-truths and believable bits to deceive marks into offering up information used to log into secure accounts such as bank accounts or company networks.
This tactic is especially common amongst scams targeting individuals but is also commonly found in attempts to gain access to networks of and information on marks’ employers.
Tactic 6: Capitalizing on faith in large social networking sites
Social network users are being fooled by emails that claim to be from sites like Facebook, but are actually from malicious social engineers working on scams and network penetration.
A common approach is to send an email that says: ‘The site is doing maintenance, click here to update your information.’ The link leads to a malicious site.
Tactic 7: Exploiting common typing mistakes
Social engineers capitalize on common typos made while entering web addresses. Social engineers and hackers in general will prepare for typing mistakes and create sites that closely resemble the site that a potential victim was attempting to go to.
Unsuspecting individuals end up on sites that frequently intend to sell something, steal something, or push out malware. This tactic targets individuals with a shotgun approach as well as specific employees with a more targeted approach.
Tactic 8: Using anxiety and its effects to affect the stock market
The security and vulnerabilities of products, and even entire companies, can make an impact on the equities market. Researchers studied the impact of events such as Microsoft’s Patch Tuesday on the company’s stock and found a noticeable swing each month after vulnerability information was released.
Publicly-released information has an effect on stock prices. Social engineers can spread worrisome news and amplify meaningless or tangential issues and simultaneously acquire “short” positions on target public companies’ stocks.
The converse approach is to use email to execute the ancient ‘pump-and-dump’ tactic. A social engineer can buy a large volume of a penny stock then send out many emails under the guise of an investment advisor touting the aforementioned stock’s great potential (pump phase). If enough recipients of this spam email rush to buy the stock, the price will spike upward. The social engineer(s) then quickly ‘dumps’ their shares at a often considerable profit.