Ashley Knowles, Informational, Phishing, Red Team, Social Engineering

How to Perform and Combat Social Engineering

This article was originally published in the second edition of the InfoSec Survival Guide. Find it free online HERE or order your $1 physical copy on the Spearphish General Store.

Social engineering is the use of deceptive tactics and techniques to manipulate users into providing confidential or sensitive information. This information can then be used for nefarious purposes.

Performing Social Engineering

Typically, our red team assessments start with some way to obtain initial access. This initial access is normally obtained through the use of social engineering, whether that be through Microsoft Teams messages, phishing emails, smishing texts, or vishing calls. There are multiple ways to conduct social engineering and not every way is perfect for every organization. There is a lot of OSINT (Open-Source INTelligent) that goes into the development of the perfect social engineering ruse for an organization. Things like what the company does, what products they use, and even information provided by the client is used to develop and appropriate ruse.

Commonly, successful social engineering ruses are done from the perspective of an IT person calling to discuss a problem with an update that wasn’t pushed correctly, or a computer that isn’t calling home appropriately.

Recently, a tester posed as HR calling to ensure that employees have had their yearly review. Before continuing with the call, the “HR representative” attempted to verify the identity of the person they were calling with the last four of their social, date of birth, and employee number. After verification was completed, the tester proceeded with several generic questions about the review and the employee’s experience.

This ruse proved to be incredibly successful. The tester then called the help desk to claim that they lost their phone which had their password manager on it and needed to join a new phone to their MFA account. With the social-engineered PII (personal identifiable information), the tester was able to join a new phone to their MFA account and reset their password. The compromised account could then be used to access sensitive company data.

If in doubt, go through other means to verify legitimacy. No reputable person is going to request your password or login information.

Combatting Social Engineering

So, you may ask, how do we train our employees to recognize and report social engineering attempts? The answer is to always be on guard, have an easy to access and use escalation protocol, and conduct regular social engineering engagements against your team.

There are a few simple things that, when followed, can protect most users:

Always check who is sending the email. This can be done by inspecting email headers on suspicious emails.
- If the sender’s address does not match who is claiming to be sending the email, report it.
For text messages or phone calls, the user can use a simple reverse number search on the phone number. Most VoIP phone numbers are suspicious. Threat actors like to use VoIP to hide their dentity and VoIP numbers are easy to obtain.
If in doubt on whether an email or call/text is malicious, go through other means to contact the actual person to verify legitimacy.

Some questions users can ask themselves that indicate immediate red flags:

What is being requested of the user?
Is the user being asked to download software or navigate to a web application?
Is it too good to be true?
Are they being asked for their password, date of birth, last four of their social, or other sensitive information?

If you think that you are a target of a social engineering attempt, contact the sender via another method. For example, if the caller is claiming to be the company’s internal IT, reach out to the IT department directly through a known good number to resolve the issue.

No reputable person is going to request your password or login information.

While social engineering attempts are becoming more advanced, the same general theme applies. With these rules and a proper escalation protocol established internally, you too can fight back against social engineering.