When a hacker gains access to someone’s email account, it can lead to all sorts of trouble, both on the home front and at the office. On Wednesday, July 1st, the FTC issued a scam alert about a social engineering scam which cons a target into divulging their credentials as part of a verification process for a password reset instigated by the hacker. All they have to do is click for a password reset and then follow it up with a text to the target’s phone pretending to be the email provider asking them to verify it to complete the process. If the target is set up to receive those kinds of text notifications, which many people are these days, it will all seem normal. With access now, a hacker can peruse the victim’s email account for more personal information, see information on other accounts that may have been set up, use it as a launching pad to send phishing emails to friends, family or work colleagues, and even have future emails copied to them as well before the victim ever even notices the problem.
This kind of social engineering attack not only shows how hacker techniques continuously evolve, but it also shows what can happen in the aftermath of all those data breaches that have been making headlines this year that saw the personally identifiable information (PII) of millions put out “in the wild.” For this scam to work, all a hacker needs is someone’s email address and mobile phone number, making it obvious that stolen information doesn’t need to include social security numbers, passwords, or account numbers to cause all kinds of problems.
Joe Caruso, founder and CEO/CTO of Global Digital Forensics (GDF), a premier national provider of cyber security solutions and digital forensics services headquartered in New York City, has been beating the drums about social engineering dangers for years. “It’s the biggest cyber security weakness most organizations have,” he says, “someone from inside the castle falling for a social engineering ploy, whether it’s something like this, or just a simple phishing email. From there creativity is the only limitation for how attackers will leverage that access to steal from, destroy, take hostage, or control a corporate network.”
Regular testing and awareness training are crucial
GDF puts a strong focus on social engineering during their professional penetration testing, going through the same efforts real-world hackers do to craft these kinds of convincing campaigns, and then helps an organization raise awareness enterprise wide according to the results. To date, GDF has never failed to penetrate a client’s network, and the eye-opening results go a long way in making the lessons learned stick for everyone. GDF can also provide tailored social engineering awareness training for clients to help their employees better understand the threats that are out there, what to be on the lookout for, and what they should do if they suspect they may have been compromised.
Cyber survival today is also about how you respond when you get knocked down
It’s an undeniable fact; eventually, every organization gets hacked in some form or fashion, whether it comes from the outside, from within, or both, like a social engineering attack. But the organizations that will weather the storm will be the ones with predetermined emergency response policies and procedures ready to go. Global Digital Forensics has experienced emergency response teams on call and strategically positioned across the country and the globe to be able to respond quickly and effectively whenever an emergency strikes, day or night. And for organizations that use GDF to perform professional vulnerability assessments and penetration testing, no-retainer Service Level Agreements (SLAs) are available so you can always have expert responders waiting in the wings should an emergency event materialize, without having to spend anything if nothing happens. GDF can also help clients craft emergency response policies and procedures from scratch, if none exist, or help bring existing plans up-to-date to meet today’s threats, as well as design an effective escalation matrix which can be easily followed to make sure your initial response efforts move like clockwork. It’s as close to a no-lose-scenario as it gets to deal with cyber emergencies, from identifying and stopping the attack, to reporting procedures and other regulatory compliance issues that may be involved for specific industries.
The right help against today’s cyber threat landscape
*Global Digital Forensics is a recognized industry leader in the fields of computer forensics, electronic discovery (eDiscovery), cyber security and emergency incident response, with years of experience assisting clients in the government, banking, healthcare, education and corporate arenas. For a free consultation with a Global Digital Forensics specialist, call 1-800-868-8189 about tailoring a plan which will meet your unique needs. Emergency responders are also standing by 24/7 to handle intrusion and data breach emergencies whenever and wherever they arise. Time is critical if a cyber incident has occurred, so don’t hesitate to get help. For more information, visit evestigate.com.