Finding a target
These sites are designed to aggregate all of the staff members related to a particular company onto a single page. They display relevant contact information like personal and business email addresses, direct phone numbers, social networking connections, and more.
This can help a criminal narrow down the list of staff members that would make good targets for impersonation.
For example, employees having area codes different than the business’ primary number may indicate they work from a satellite office and probably do not have close contact with their coworkers at headquarters.
After a “short list” of potential employees has been compiled, their individual social media sites may be data-mined for personal details which could add another layer of credibility to the pretext.
Prior to attempting an attack on the targeted company, a social engineer will usually employ additional tactics to further sell their believability.
A common approach involves sending the employee(s) they intend to contact a phishing email that is carefully formatted to resemble other legitimate corporate email correspondence.
These messages are intended to set up the attacker’s pre-text by outlining the reasons why they need assistance, or in some cases, makes a direct request for the desired information. Of course, the reply-to email address would be spoofed, as would the contact information contained in the email signature and footer.
Another clever trick con artists use prior to initiating the phone call attack is to spoof their caller ID to match a department within the targeted company–the necessary equipment can be legally purchased and is surprisingly easy and nontechnical to use.
When these techniques are combined with a convincing pretext, there is little reason for an employee to doubt that the attacker is not a legitimate coworker. And, voila, trust is established and the hook is set.
The best defense
From that point it is relatively easy to persuade or manipulate the real employee into changing passwords, divulging sensitive corporate information, or–in a worst case scenario–activating malware sent in a follow-up email that allows the attacker to gain access to the company network.
The best defense against the “fellow employee” tactic, as well as virtually every con artist threat, continues to include the following:
- Staff trained to recognize and react to malicious techniques;
- Comprehensive policies and procedures;
- Frequent security awareness training; and
- Periodic social engineering testing that verifies the effectiveness of policies, training, and other controls.