Stopping Sophisticated Social Engineering Scams – Looking Beyond the Basic Signs

We recently came across an article at CSO online – 10 signs you’re being socially engineered that caught our attention. While the 10 signs are certainly accurate – and signals that everyone should be aware of – many of these tactics and indicators would come from less experienced and less sophisticated hackers. Newcomers who are perhaps even using Phishing-as-a-Service (PHaaS) pre-packaged turnkey kits available on the dark web in an attempt launch a phishing or social engineering attack for quick financial gain.

The more sophisticated social engineering attacks we see today often avoid triggering these warnings. The threat actors’ goal is to socially engineer their victims and prevent the scam from being uncovered for as long as possible so that they can accomplish their objectives – stealing login credentials, credit card and other financial data that they can leverage. Paul Newman (as Henry Gondorff) in the movie “The Sting” once said, “You gotta keep his con even after you take his money. He can’t know you took him.” This certainly applies to today’s threat actors. While new defensive technology and automation is reducing time to discovery, it is still a leading security pain point for organizations.

In addition, in their efforts to avoid detection and security protocols, today’s sophisticated threat actors often use attack vectors that go beyond email, websites, or social media. They may employ ads (malvertising), SMS texts, search results, and perhaps even more prevalent, rogue browser extensions.

Rogue browser extensions pose an exceptional challenge – for both organizations and users – as they are often providing a legitimate service while still being malicious. We’ve even seen legitimate, real browser extensions that have been useful for a while get acquired by an unscrupulous organization or become individually augmented for attack purposes.

The article does paint a picture of what to look for and is certainly worth a read. Here are a couple of thoughts we had on some of the specific signs:

Sign 2 – Asking you to execute content. This is where organizations and users need to think beyond email, a website, or a social media post that the article mentions. Texts, search results, and rogue browser extensions can achieve the same end game and pose challenges in identification.

Sign 3 – Bad or suspicious URL. Identifying malicious-looking phishing URLs is certainly important, but today’s threat actors are using URL obfuscation, URL redirection, and URL shorteners such as bit.ly to mask the real URL being clicked.

Sign 4 – Stressor events. These attacks are designed to instill a sense of urgency and play on basic human needs, whether that be a better job, a lottery win, or just software that will make your life easier. They also play on basic human emotions, such as trust, greed, honesty, and ambition. Some examples of these that we’ve seen are technical support scams, fake job emails, and sweepstakes scams.

While an organization can not completely eliminate all of these threats, they can help prevent their employees from ever reaching malicious websites from more of these scams and attack vectors. SlashNext’s threat detection technology uses a browser-based approach that follows URL re-directs and examines the contents of each subsequent page in real-time rather than focusing singularly on the URL analysis or domain reputation analysis of only the initial page. Our SEERTM technology (Session Emulation and Environment Reconnaissance) runs virtual browsers in a purpose-built cloud to dynamically inspect sites, and perhaps more importantly page contents and server behavior, with advanced computer vision, OCR, NLP, and active site behavioral analysis. Machine learning enables definitive verdicts—malicious or benign—with exceptional accuracy and near-zero false positives which means security teams have no inconclusive threat probability scores to research.

Our Real-Time Phishing Threat Intelligence and Targeted Phishing Defense solutions can see beyond the legitimate website to identify what might lie in wait. Start a free 15-day trial of Real-Time Phishing Threat Intelligence or contact us for a demo of our Targeted Phishing Defense to see how you can protect your organization.

It’s Time to Get Started with SlashNext

Experience the difference with broad phishing threat coverage and automated delivery.