Ever wonder how hackers get a foothold in big corporations who spend millions of dollars on security? Instead of attacking the technology, they often target employees, tricking them into providing access.

Some of these techniques are advanced and require a lot of skill and practice. But the most common social engineering attacks are simpler to pull off than you might think.

An oldie but a goodie, attackers masquerading as helpdesk employees remains one of the most common social engineering attacks.

An example of this kind of attack might sound a bit like this:

“Hello, this is the Kenny with the helpdesk. We’re going to be doing some PC maintenance tonight and I needed to get your password to make sure everything is ready to go for you when you get back in the office tomorrow.”

It’s surprising how often this technique works. As a matter of convenience, some IT helpdesks place legitimate phone calls like this and lull users into it being a common, acceptable procedure.

A well-run, security-conscious helpdesk will never ask users for their passwords. Establishing this as a policy and providing end users with training on how they should handle their passwords will go a long way towards preventing this type of social engineering attack.

Have you ever received a pop-up in the corner of your screen that said something like “Your computer is infected. Click here to begin removal.”?

Once you clicked on the message you were taken to a screen that outlined some details of the “infection” and how you could solve the problem by paying a fee. Maybe you even followed through and provided your credit card information.

Ransomware is normally targeted at individual consumers, but often takes the form of blackmail when targeted at a business’ employees. More targeted ransomware might claim “We’ve found illegal pornography on your computer.” or something similarly embarrassing.

In addition to credit card information, these attacks might also capture username’s and passwords or pull the employee into a one-on-one conversation with an attacker who forces them to take some action under the threat of blackmail.

While solid anti-malware controls can help prevent ransomware infections, the best defense is to train employees on how to differentiate between legitimate and illegitimate system messages, noting that whenever they are unsure of what they’re seeing, they should contact the helpdesk.

Facebook and other social media platforms provide a great avenue for social engineers to collect information about their corporate target and plan out their attack.

Maybe you get an invitation to connect on LinkedIn that looks a little like this:

“Hey, I just started working at Trask in the executive office and am trying to connect with other people who work here. Would you mind adding me?”

Once you connect with this person they are able to see all of your professional connections and any details you’ve added to your social media profile. This information can be used to build out an organizational chart they will use in their attack or might provide a direct avenue to attack.

The attacker may start a longer conversation with you over social media that turns into a friendly relationship. Once that relationship matures a bit, you might get a message like:

“OMG! My login won’t work and the helpdesk isn’t answering. I’m supposed to finish this report for Dave (the CEO) but need to be on the network to get the info I need. Can I borrow your VPN login? It would really save my butt.”

It might sound silly, but this technique works time and time again. It’s become especially effective as younger generations, who are more comfortable developing relationships with people they might never meet in the physical world, enter the work force.

Again, training is key to making sure employees know how they might be exploited to attack their employer.

While necessary for any security program, technical assessments alone are an incomplete simulation of a real world cyberattack. Technology does not exist in a vacuum – people are the central component of any company process, and are often the primary gateway to sensitive data and processes.

Rhino Security Labs offers a range of expert-driven social engineering engagements for organizations looking to test their employees and associated security policies. Whether traditional phishing (email), vishing (voice calls), or on-site assessments and attempting access into the physical building, we have trained experts at the ready.