Aureon's Security Engineer, Jordan Neal Speaks at CyberCon about Social Engineering Practices

Aureon's Security Engineer, Jordan Neal, shares security insights at Iowa Communications Alliance 2023 CyberCon VIII in May.

Articles published June 8, 2023 by Jessica Larsen, Communications Specialist

Aureon's Security Engineer, Jordan Neal, spoke at Iowa Communications Alliance 2023 CyberCon VIII event held at the Sheraton Hotel in West Des Moines on May 17 – 18. Jordan informed the crowd on the importance of understanding social engineering: a brief anatomy of phishing. 

Jordan has been working in the security industry for seven years and has focused on physical and technical security at Aureon. He has been working on protecting Aureon's Clients against cyberattacks. 

Social engineering is a technique that cybercriminals use to gain information from their targets and involves psychological manipulation. This method works by using emotions such as fear, greed, curiosity, helpfulness, and urgency. The goal of the bad actors is to get their target to reveal specific information or perform a particular action. Jordan explained at Cybercon that perpetrators achieve this through phone, email, snail mail, or direct contact. 

The first type of social engineering is called phishing. Phishing is a method used for acquiring sensitive data, such as bank account numbers. The perpetrator masquerades as a legitimate business or reputable person to gain this information. Jordan explained that types of phishing include angler, spear, smishing, and vishing. 
 
•    Angler phishing – the threat actor spoofs a corporate social media account.
•    Spear phishing – the threat actor targets specific organizations or individuals.
•    Smishing – phishing using text messages.
•    Vishing – phishing using phone calls. 

Whaling is a phishing attack differentiated from phishing because it targets high-profile employees such as the CEO or CFO. The attacker's goal is to manipulate the victim into authorizing high-value wire transfers to the attacker. 

Scareware is malware that attempts to scare users into thinking that their device has been infected with a virus and encourages the person to download a program to fix it. 

Ransomware is malware that encrypts users' or an organization's files. It holds the files hostage, until the user pays a ransom. 

Baiting is a technique that seduces a person with a deceptive promise that appeals to their curiosity or greed. 

Diversion Theft is a technique that tricks the user into sending their data or credentials to the wrong person. 

Pretexting is a scam where threat actors pretend to be someone or something that they are not; an example is someone pretending to be the IRS and introducing a threat of legal consequences for not cooperating. 

A Tailgating/piggybacking attack targets an individual who can give a criminal physical access to a secure building or area. These scams are often successful due to a victim's misguided courtesy, such as opening a door for an unfamiliar person. 

Water-holing is an attack that uses advanced social engineering techniques to infect a website and its visitors with malware. The infection spreads through a website specific to the victims' industry. 

How to Identify a Scam or Attack

Jordan explained that some red flags are an unknown phone number, unusual requests, an uncommon sense of urgency, aggressive or coercive demands, unexpected files or file types, accounts that have no common associations or interests, offers that are too good to be true, and poor spelling, grammar, or broken English. 

Ways to Protect Yourself on Social Media

•    Posting too frequently establishes a schedule.
•    Scammers can identify other associations.
•    Do not post:
1.    Too many details.
2.    Your physical or work location.
3.    Your job role.
4.    Work schedules.
5.    Screenshots of conversations.
6.    User credentials.
7.    Phone numbers or email addresses.
8.    Financial data.
•    Keep personal tools for personal knowledge.

Things to Consider Before Adding Information to your Corporate Website

•    Sensitive employee data.
•    Employee schedules.
•    Satellite office locations.
•    Non-published phone numbers.
•    Pictures of employees.
•    Pictures of secured facilities.

How to Protect Yourself

•    Ask questions.
•    Does the request seem off?
•    Is the person who they say they are?
•    Does the proposal make sense?
•    Double-check phone numbers, account numbers, and routing numbers.
•    Enable multifactor authentication.
•    Use geofencing.
•    Use strong passwords.
•    Keep SSL certificates up to date.
•    Limit public-facing corporate information.

If an Incident Happens

•    Refer to your corporate incident response plan.
•    Collect and document evidence.
•    Contact law enforcement as appropriate.
•    Notify insurance carriers as appropriate.
•    Notify affected parties.
•    Deliver consistent and accurate communications.
•    Please don't attempt to cover it up.

Aureon is Here to Help

If you want help verifying or vetting your processes, security posture, or assistance with implementing security tools for your organization, visit us at www.Aureon.com or call 800-469-4000.