What is Socially Engineered Email?

This is a different type of spam that is different from ‘general’ spam. It is profiled on your known social and digital behavior, targeted towards getting you to perform an action and hard to detect as false due to legit wording and content. Click on a link, open a document or just simply to reply to the email and you may have a virus, malware or ransomware (locked up files with a $$$ request to release them). In many cases, the link will connect to an internet server, start downloading malicious software, hook into PC files and hard drive files and capture login info, credit card info or personal info, to transfer to someone on the internet. Opening a document can have the same effect. If you see any emails from he government or banks or an accusing email in tone…watch out! Keep your suspicions and if you are getting an invoice, link or file from an unknown person – DO NOT OPEN!

Does this seem paranoid? I know, I know. I was a senior consultant working a client’s IT department projects, when an Accounts Payable department employee received a request to transfer around $25000 into a bank account, by account number. To ‘put a remittance payment’ on a large outstanding bill. The customer was a large customer and the staff member did the transfer – because it was a large customer and looked very legit and threatening – they were behind on the bill! The email, socially engineered, had gathered enough information in profiling this company, knew the habits of AR, knew they served this customer, knew they were in arrears and wrote an email as if it came from the customer’s email servers, to the right AR person. The AR person made the transfer to the account specified without confirming with anyone keeping the letterhead of request as ‘proof’. Needless to say, they were in a lot of trouble! I have also seen refunds requested to customer’s bank account with numbers that had no link to the customer. The email sent, contained official letterhead, looked like it came from the company requesting the refund, mentioned they spoke to someone by name in AR, etc! Also never share your payment habits with strange telemarketers or anyone. Never share the frequency of payment, details of payments, etc.

In IT security, the principal is, people and habits are among the weakest part of any organization’s security. To help you, I have posted the info graphic below on how to spot malicious emails and flag them. Below is a great summary from KnowBe4.com on this subject. This company was founded by Kevin Mitnick who was a notorious cyber hacker, caught and sentenced to 5 years in prison in 1995. He was released with conditions and started this company to train users and companies on how to protect their assets and to recognize attacks. NineOne also trains companies on how to maintain their security posture using many of his principals in addition to network and firewall technology. We do training and mentoring for organizations on how to recognize socially engineered email among other things and it is becoming a real need in the marketplace! Seminars are available now for any size of company to help with your security needs. Be safe!

Author:
IT consultant with oodles of years of experience in security and systems planning and business engagements for IT projects.