"A person is said to use manipulation (or social engineering) when he or she uses influence and persuasion to fool people by pretending to be someone he or she is not. Ultimately, the manipulator knows how to exploit others in order to obtain information, with or without the aid of technology." Kevin D. Mitnick, The Art of Fraud.
In the context of information security, social engineering refers to practices of psychological manipulation for the purpose of fraud. These practices exploit psychological, social and, more broadly, organisational weaknesses in order to obtain something from the targeted person by building trust. This can be a good, a service, a bank transfer, physical access, access to a computer system, disclosure of information such as passwords, company information for an attack, etc.
To emphasise the concept of deception, the terms 'psychological hacking' or 'psychological fraud' are sometimes used.
In this video, Jessica Clark, social engineer hacker, demonstrates the power of social engineering.
Most social engineering scams are usually carried out in 4 phases:
The first phase, which is optional depending on the case, is information gathering, which aims to understand the context of the attack sufficiently, in order to build a successful hook and thus gather basic information on the targeted person and/or organisation using all the resources available, such as social networks, the economic press, Infogreffe-type sites, etc. It is also during this phase that the attacker will plan the best possible approach, and define the person (or persons) who will be used for his plan.
The second phase is the establishment of the relationship between the attacker and the target, which serves to set up the conditions for a successful "game". It is during this phase that the attacker will contact the person and/or organisation, create a sense of proximity and thus take control of the interaction.
The third phase is the exploitation of the identified vulnerabilities. This phase aims to extract as much information as possible. The attacker will then drag things out as long as possible to achieve this. It is during this phase that the attacker will reinforce the control of the relationship and thus extract as much information as possible.
The fourth and final phase is the exit, which aims to end the interaction, ideally, without arousing suspicion and by convincing the target not to say anything. The attacker will also be careful to cover his tracks during this final phase.
Depending on the scale of the planned attack and the reward, some attackers do not hesitate to extend their plan over weeks or even months, sometimes going so far as to make direct contact with their target(s). If a company is targeted, they may, for example, be hired as employees or contractors. Being in the company, they will have direct access to a whole range of resources. They can also more easily gain the trust of the internal people needed to execute their plan.
FOVI, or False International Transfer Orders
A known form of social engineering that has been on the rise in recent years: False International Transfer Orders (FOVI).
The « president fraud », one of the most well-known FOVIs, consists of convincing the employee of a company with the necessary rights (accountants, executive assistant, etc.) to make a bank transfer. To do this, the attacker, usurping the identity of a manager thanks to information previously collected, will contact his victim (usually by telephone). He will insist on the urgent nature of the action to be taken by being as persuasive as possible. Most of the time, the employee, convinced and wanting to do the right thing, will comply.
A second known attack at FOVI called « RIB change » consists of sending an email to an employee pretending to be a supplier, and asking him to direct his payments to another bank account (belonging to the attackers).
In order to cover as many eventualities as possible, some attackers, posing as the supplier, will send an email beforehand in order to modify the customer's details (telephone number, email, etc.).
Thus, when a request is made to change the bank account number a few days later, if the company checks with the supplier, the call or email will end up on the attacker's telephone/email box, who will only have to confirm the bank account number change.
Recognising the signs of an attack:
A request for an international transfer, unplanned, of an urgent and confidential nature. In this case, do not hesitate to contact your usual contact person with the contact details known to the company, or ask for verification from another manager.
Any change of telephone or e-mail address.
Direct contact from an attacker posing as a company member or manager who will use flattery or threats in order to manipulate the other person.
In order to establish his credibility and usurp a position, the fraudster will provide an abundance of details about the company and its environment: personal data concerning the company director, his employees, etc. This should alert you.
What to do if you are a victim of False International Transfer Orders, or if you think you are?
Identify fraudulent transfers and request their suspension from the bank.
If the transfer has already been made, ask the bank to return the funds.
Keep evidence in your possession : any information (e.g. telephone number, emails, transfer orders, invoices) that you can use to report the scam to the authorities.
If the fraud was made possible by hacking into an email account, change the password immediately.
File a complaint with the Gendarmerie or the Police with all the evidence in your possession.
For more information on FOVIs, preventive measures and what to do in the event of an attack, please consult the summary sheet on the government's website.
Related blog posts:
Did you enjoy this blog post?
Find more content related to cybersecurity and GDPR regulatory compliance on the CyberSecura blog!
We need your answers!
By completing this survey, you are helping us to better understand your interactions with our site and your potential needs.
Your answers are anonymous, and unless you ask to be contacted again by our teams, no personal information is requested!
Thank you for your responses!
Would you like to be informed about our news and receive our latest blog posts directly in your mailbox ? Subscribe to our monthly newsletter!
Would you like to discuss your difficulties, your needs, our offers ? Ask to be contacted, free of charge and without obligation, by one of our cybersecurity experts !
Comments