Skip to content

Menu

United States Cybersecurity Magazine
United States Cybersecurity Magazine
  • Home
  • Magazine
  • Cybersecurity Channels
    • CMMC – ArCybr
    • Security Software & Services – Wind River
    • Cyber Training and Workforce Development – Chiron Technology Service, Inc.
    • Darknet Intelligence – BOC INTEL
  • Cyber Daily
  • Calendar
  • Resources
Welcome! | Subscribe | Sign In
United States Cybersecurity Magazine
  • Home
  • Magazine
  • Cybersecurity Channels
    • CMMC – ArCybr
    • Security Software & Services – Wind River
    • Cyber Training and Workforce Development – Chiron Technology Service, Inc.
    • Darknet Intelligence – BOC INTEL
  • Cyber Daily
  • Calendar
  • Resources
  • Subscribe
  • Sign In

Understanding the Threat

Social Phishing: How Hackers Trick You With Basic Sales Techniques

Tricia A. Howard
 

Cybersecurity Services
Industry Certifications and How to go About Getting Them
Keys on fishing hook over keyboard, concept social phishing

You are probably thinking “why on earth is there ANOTHER article about social phishing? Have we not drained that pond by now?” This is a common line of thought, but unfortunately, phishing attacks (leading to credential theft) are still one of the main ways that hackers access your information. However, the true kicker is that social phishing is really easy to do, just by using basic sales techniques.

The Mindset of a Sales-Person

Starting in the sales industry, I was strictly business development. As you all know, you have to find ways to stand to the customers. This is double true when you are just 1 of 1000 entry-level sales reps who “just wants to pick your brain.” Getting those 3 net-new meetings a week became more and more difficult as the threat landscape (and thus the industry) has grown, and it is only going to get worse.

The best way to get around it was going to social media. Find a couple of interesting things about a target, call into a couple of people and get an email address, utilize that info found previously to create rapport, get meeting. It does not always work, but it was definitely more successful than just leaving voicemails that were never returned.

What is known as good salesmanship actually is known by another name, and a not-so-nice one at that: Social Engineering. Social Engineering is often noted for being “innovative and creative.” Eventually, I found myself doing company-wide webinars effectively helping teach how to (legally) cyber-stalk people.

“That is great, but why do I care about how salespeople are getting more and more annoying?”

Because this is how you lose privileged account credentials.

Privileged accounts are not just admin creds, there are several people within the enterprise who have advanced levels of access. For example, let us look at Stevie Salesguy.

Social Phishing – A Case Study

Stevie is the ideal example of social phishing. Steve is a Director of Sales who runs the East Coast. He manages around 25-30 reps and works round the clock to keep it going. Imagine he has an “interview” with someone who wants to join the team who is actually a threat actor. The threat actor sees that Steve loves to fish, so he brings it up on the call – what types of fishing he usually does, where he likes to go, etc. The actor finds out that Steve is a member of Bass Pro’s membership program and even has a trip coming up.

They get off the call and Hugh Hacker has all the info he needs. Hugh builds a quick landing page to look like Bass Pro. Then he sends an email asking to sign in to verify trip details. Just like that, social phishing has occurred. To make matters worse, since Steve uses the same password for everything, Hugh starts jet-setting through his financial data.

What to do?  

I’m not suggesting we stop posting on social media or stop being friendly on first phone calls. Most of the people you will meet have good intentions, or do not even think in this way. However, until we finally get rid of passwords in their entirety, there are a couple of easy ways to help remedy this ever-growing issue

  • Train your employees on security awareness – including fake social phishing attempts. If they are going to be clicked on, hopefully it is you who is orchestrating the attempt. The more customized the better. There are agencies who will put this in your pen-testing plan.
  • Look at Privileged Account Management solutions – Especially if you are an enterprise or have lots of varying account levels. Having a manager that looks at forensic data can help keep lock down on weirdness going on in an account-level basis.
  • Make it personal – If your employee realizes that their work password is also their banking password and the implications therein, they will be more vigilant.

Tags: account management, case study, Cybersecurity, Phishing, sales, social engineering, social phishing, threat actor, Threats

Related posts:

  1. Social Media Platforms are Vulnerable to Hackers
  2. Script Kiddie: Unskilled Amateur or Dangerous Hackers?
  3. Email: The Ultimate Phishing Hole
  4. What Scams Are Hackers Using to Threaten Your Internet Security?
  5. Threat Intelligence: How It Can Help Tackle Malware, Phishing and Hacking
Claim your WHITE PAPER
National Cybersecurity Strategy
DOWNLOAD HERE

Events Calendar

« March 2023 » loading...
Sun Mon Tue Wed Thu Fri Sat
26
27
28
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
1

Browse By Topic

  • Engineering and Vulnerability Management
  • Training and Workforce Development
  • Industry and Business Best Practices
  • Data Storage and Access
  • Legal

Recent Posts

  • Aircraft Networks Face New Cybersecurity Challenges in 2023
  • AI May Not Steal Your Job, But It Could Eliminate It with A Devastating Cyber-Attack
  • 4 Tips for Making Cybersecurity Awareness Programs More Human-Centric
  • Understanding and Accepting CSF 2.0: Changes Coming to the Cybersecurity Framework
  • Securing Data Throughout the Digital Transformation Process

SUBSCRIBE TO OUR CYBERSECURITY COMMUNITY

Subscribe today for free and gain full access to the
United States Cybersecurity Magazine and its archives. In addition, via our newsletter, you will hear from cybersecurity subject matter experts, and will be notified of the release of the next issue of the magazine!

SUBSCRIBE NOW

US CyberSecurity Magazine

Tweets by USCyberMag
Follow @USCyberMag

  • Subscribe
  • Log In
  • Home
  • Magazine
  • Cybersecurity Channels
    • ArCybr
    • Security Software & Services – Wind River
    • BOC INTEL
  • Contact Us
  • About
  • Cyber Daily
  • Calendar
  • Resources
  • Advertise With Us
  • Write for Us
  • Privacy Policy
Facebook-f Twitter Linkedin-in Instagram

© 2023 American Publishing, LLC™ | 17 Hoff Court, Suite B • Baltimore, MD 21221 | Phone: 443-231-7438
  • Subscribe
  • Log In
  • Home
  • Magazine
  • Cybersecurity Channels
    • ArCybr
    • Security Software & Services – Wind River
    • BOC INTEL
  • Contact Us
  • About
  • Cyber Daily
  • Calendar
  • Resources
  • Advertise With Us
  • Write for Us
  • Privacy Policy
We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept”, you consent to the use of ALL the cookies.
Do not sell my personal information.
Cookie SettingsAccept
Manage consent

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.
CookieDurationDescription
cookielawinfo-checkbox-analytics11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional11 monthsThe cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy11 monthsThe cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
Functional
Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
Performance
Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
Analytics
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
Advertisement
Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.
Others
Other uncategorized cookies are those that are being analyzed and have not been classified into a category as yet.
SAVE & ACCEPT
Powered by CookieYes Logo