You get an urgent email from HR that reads:

Please complete all details to ensure payroll can be processed this month. This has to be completed before lunchtime today! Please click the link below.

Click here to enter details.

Do you click it or not? Is it genuine? Or are you now part of a phishing attack, a type of social engineering where malicious attackers aim to retrieve company data or your personal details?

Before we go any further, I want you to think for a second. Check your LinkedIn profile and other social media pages for the number of connections or friends you have. Now, are you one of those people with 500+ connections on LinkedIn? Do you know all of them? Have you worked with these people in the past or are you currently working with them? Met them in person? Or have they approached you to gather OSINT (open source intelligence) for a phishing attack against you?

Got you thinking?

Now don’t get me wrong. I am not suggesting you delete everyone on social media you have never met. Instead, my aim here is make you think for a second.

In a world where people are increasingly connected online, we are becoming disengaged from what is happening and around us and more trusting of what is happening on our mobile apps and social media accounts. Social engineering attacks are growing because attackers can discover so much information about a target without ever having to move from their chair. All they need are some adequate Google skills. It’s quite interesting what they can find. If the target hasn’t locked down their profile or has shared too much information, the life of an attacker only gets easier.

One aspect of social engineering risk that is sometimes overlooked is a connection request from someone who looks familiar. Being pack animals, we tend to accept these requests out of a desire to be socially accepted and popular. But unknowingly, we may have just provided more information to that “friend” than we originally intended.

I have used LinkedIn as an example, and this is one out of hundreds if not thousands of social sites where people upload information. Think about what information you provide on one social site, then if you start linking accounts to others such as Facebook, Twitter, and Instagram. As a potential attacker (or social engineer), it wouldn’t take too much time or effort to quickly find out the following about a target:

  • Place of work
  • Social interests
  • Favorite books
  • Favorite places to eat
  • Mobile number (yes, in some instances this is advertised by individuals)
  • If location services is turned on. That’s a whole new level of exposure, although many social sites now strip this metadata out of photos and posts, which is a huge relief!

The list goes on, but as you can see, the cyber criminal may already have enough information to engineer a potential social attack and attempt to retrieve other personal information such as social security numbers, bank details, etc. Although in some cases, you can argue that too much information is already entered into certain social sites and attackers don’t need to do social engineering at all.

There are genuine reasons why we may need to populate certain sites with personal information; it is difficult to avoid, especially in the IT business. However, we all need to be mindful about what information we are putting on these sites and the level of detail we provide.

Fighting Back?

Now I’m not asking you to delete all your social accounts, buy a metal helmet, go underground, and not trust anyone. I am merely reminding everyone to remain vigilant and think a little before providing personal information on social sites or in response to a phone call, email, or text.

Here are some suggestions for protecting yourself and your company:

  • First of all, be vigilant and skeptical about emails and attachments, especially if the sender requests personal information or redirects you to external URL that aren’t familiar. Legitimate companies and other third parties are usually extremely clear about why personal details are needed and how they will be handled.
  • Don’t be afraid to spread the word; talking about these potential threats keeps them fresh in our minds. The mere mention of a suspicious email in open conversation may stop someone else from interpreting it as a friendly hello.
  • Take note of your company policy if you do fall for a phishing attack. Report it immediately to the proper individuals so they can invoke the correct procedures. This can happen to anyone, so don’t be embarrassed about notifying security personnel.

Technical Controls

My focus has been on scenarios where attackers persuade individuals to enter their details willingly into various online forms or messages. However, there are instances where a malicious link will download a binary onto your device and commence collecting details or logging keystrokes and potentially sending them back to the attacker. In this instance, there are some technical protections that can be used as extra layer of defense.

Citrix offers a wide variety of technological options to protect your business and employees.

One is the Citrix Secure Browser service. By isolating internet surfing and applying granular controls, it allows administrators to add a layer of defense when phishing emails are distributed, the links within them are unable to be opened and malicious content downloaded on the corporate network. Segregating the corporate network from a more open internet-facing network (or using network zones) with the correct security policies certainly brings many benefits and helps strengthen data containment, thus reducing the risk of data exfiltration.

Using SaaS apps fronted with Citrix ADC, which allows IT to apply context controls based on multiple variables, ensures that users access the right applications and data without exposing the business to too much risk. Understanding users and their work scenarios, such as connecting from a coffee shop, allows companies to limit access compared what would be permitted in a secure office setting. Applying this form of contextual awareness helps the business support a secure mobile workforce strategy.

The aim of this blog has been to raise awareness about the rise of social engineering attacks such as phishing and encourage thoughtful behaviors — especially on social media — and effective IT controls so we can all work more securely. With that, thanks for reading.

– Andy Mills, Principal Consultant