The Hack That Always Works

By David Grant, JD, CIPP/US and Duncan del Toro,  CISSP, CISA, CEH, GPEN, GWAPT, GCIH, GCIA, GSEC

Confidence schemes, or "con games," are as old and varied as mankind. For centuries, con artists have relied upon simple, direct forms of communication, gaining their victims' trust through one-on-one conversations, letters, simple demonstrations, and the like. Unfortunately, the advent of technology has led to a revolution in dishonesty, offering criminals avenues of approach that are sophisticated, difficult to spot, and quick to execute. Most if not all of these modern cons fall into the category of social engineering. 

Social engineering is the psychological manipulation of unsuspecting people for the purpose of information gathering, fraud or system access. Essentially, hackers take advantage of most peoples' tendency to trust others, tricking them into revealing information that can be used to gain access to systems, data, or resources. Most social engineering tactics involve email or websites, but hackers also contact victims via phone, often impersonating an official representative, such as a bank employee, in order to trick their target into providing the desired information. 

Cyber security professionals will readily admit that, if a hacker gathers enough information about a potential target, and achieves the correct timing, social engineering will always work. (Interestingly, in a recent experiment, a journalist asked information security experts to see just how much of his personal information they could garner via social engineering and other tactics; the  results  are horrifying.) 

Types of Attacks 
Phishing:  Phishing is an email-based attack that is designed to obtain the victim's user credentials. These types of attacks are often very sophisticated - the email is carefully crafted so that it appears to be sent from a legitimate business, such as a bank or credit card company, with a real-looking logo or letterhead. In the message body, the cyber thief requests verification of the victim's account information, directing him or her to a phony website to enter usernames, passwords, account numbers, and other details. Fellow expert Judy Torres wrote a post detailing red flags that can help you identify these kinds of attacks. 

CEO Scam:  In a CEO scam, the hacker sends an email which appears to be from the CEO to the finance department of an organization. The email instructs finance staffers to transfer funds to a legitimate-looking account. Of course, the account actually belongs to the cyber thief. In one such scam, Ubiquiti Networks Inc. reported that it had been  defrauded of more than $38.6 million

The success of the CEO scam is dependent on the hacker convincing the target that the email is legitimate and that the funds should be transferred; in order to add authenticity, some hackers will go so far as to include information that seems confidential, such as details about the CEO's family or inside information which only the real CEO would have. Most often, such information has been gathered from the internet. 

Spear-Phishing:  A spear-phishing attack is identical to a Phishing attack, but it is aimed at specific individuals in an organization and will often include confidential information to create the appearance of authenticity. The attack is similar to a CEO attack, but not necessarily focused on the transfer of funds. 

Baiting:  In a baiting attack, the hacker loads malware – usually a program designed to provide the hacker with system access – on to a USB drive and drops the drive in a company's parking lot. The hacker is betting that someone will take the drive and insert it into their work computer. Once inserted, the malware provides the hacker with access - first to the victim's PC and then to the company's entire IT system. 

Additional Methods:  These are only a few of the most common types of social engineering attacks. Others involve voicemails, offers of technical support or assistance, impersonating HR, IT or Help Desk personnel, and so on. 

Bottom line:  While there are some technical defenses against cyber scams, such as content filtering and anti-malware / anti-virus software, none are foolproof. There is no software or hardware solution that can protect good, honest people from being taken advantage of by a cyber con man.  Proper training and awareness  are the only defense against social engineering attacks, but we all know that people, even with the best of intentions and training, occasionally slip up. So long as most people are trusting and well-intentioned, social engineering will work. The only real defense is cyber security awareness training. Employees should receive regular information about the types of attacks that cyber criminals use, and should be frequently reminded to be alert and on guard, especially when handling unexpected or unsolicited communications. While there's no infallible way to defend against social engineering, the more prepared and alert you can be, the less likely you are to become a victim.
Contact us at


Real stories of data breaches affecting small businesses just like yours 

According to the Ponemon 2014 cost of a data breach study, each record that is lost or stolen now costs organizations $192 each. We use this average to calculate an organization's total estimated cost of their breach event below by multiplying the number of lost or stolen records by $192.

Sample 1 – A home healthcare organization located in Arizona: Theft

Electronic protected healthcare information was exposed when a laptop containing sensitive patient data was stolen from an employee of the healthcare organization's vehicle. The data exposed was unencrypted.

Estimated Cost - $598,848

Recommendations that may have avoided this breach: Two likely failures occurred here. Firstly, from a technology standpoint any laptop which will be used by an organization to house sensitive patient or customer data should always be encrypted for this exact circumstance, as laptops are commonly lost or stolen. Secondly, and perhaps more importantly, organizations should review and update their information governance policies to ensure that sensitive patient or customer data is not being stored unencrypted, or copied to unencrypted machines such as employees' laptops. In addition, training should occur on these policies to educate employees as to the company's stance on information security, and each employee's responsibilities in maintaining those standards.  


Sample 2 – A health solution provider in Pennsylvania: Accidental Release

An employee of a health solution provider was scammed into sending W-2’s containing sensitive information on current and former employees of the health solution provider via a targeted spear phishing email attack.

Estimated Cost – $70,080

Recommendations that may have avoided this breach: Spear phishing has been found to be very effective and thus criminals are using this tactic at an ever growing rate. Employee training is key to ensure your employees are able to identify and delete potentially harmful phishing emails. In addition, due to the prevalence of phishing attacks security organizations are now offering solutions which allow you to test your employees as it relates to phishing. Specifically, these organizations allow you to send sample non-harmful phishing emails as a test of your employees. Initial tests allow you to benchmark your employees' performance as it relates to identifying and deleting these potentially harmful emails. Subsequently you can reward employees who successfully detect the test phishing emails and offer additional training to those employees who fail.


Sample 3 – A Public Relations and Consulting firm in New York: Accidental Release

An employee accidentally sent certain employee records containing sensitive personal information to an unauthorized email recipient.

Estimated Cost – $113,664

Recommendations that may have avoided this breach: Some information security breaches are simply human error, as this one appears to be. While training is key to attempt to avoid incidents like this, organizations should also prepare for the worst and have a written plan in place should an accident such as this occur. A strong information security plan should include which vendors will be utilized to respond to a breach event. Which employees will be responsible for managing the event (including PR) as well as be reviewed by every executive team member and updated at least annually.

For More Information:

If you believe your organization has experienced a data breach event, immediately call 877-647-6225 today.