🐡 Stay ahead of the game
A social engineering scheme that uses phone calls to manipulate a victim into giving out personal information or to perform an action is called vishing or voice phishing. We’ll learn by example, and dive into a situation where a hacker poses as a person of authority, on a phone call that ultimately makes a fishy-fishy email seem legit.
📱 Tabletop Exercise: FEMA Spam Scam
💡 Tabletop exercises are a type of simulation based training where team members come together to analyze and discuss a hypothetical situation. Insights from these exercises can provide a lens into a company’s strategies for readiness and response.
📱 FEMA Spam Scam
Characters:
H3xVector (posing as a FEMA Agent) - named Laura
FEMA Applicant - named Alex
Phone rings, and it's an off-island number. A worried resident named Alex picks up.
HexV3ctor (disguised as a FEMA agent): "Hello, this is Agent Laura from FEMA. I am calling about your recent application for disaster assistance due to Typhoon Mawar. First, I would like to express our deepest sympathies for the situation you're currently going through. We're working around the clock to expedite assistance to everyone affected."
Alex: "Oh, thank you. It's been quite difficult. We've been waiting for update online."
HexV3ctor: "I can only imagine, Alex. We are doing everything we can to accelerate this process. Now, I understand you've applied for assistance for home repairs, correct?"
Alex: "Yes, that's right."
HexV3ctor: "Alright, I have your application here, but I'll need a bit more information to ensure it's processed quickly.
Alex, after providing the information, continues to engage with the supposed agent, believing her to be a genuine FEMA representative.
HexV3ctor: "Thank you, Alex, for the information. I've updated your application. Now, to finalize this, we need you to approve the update from your end. We can send you an email with a link to verify your application and expedite the process. Can you provide me with a suitable email address?"
Alex: "Sure, please send it to my work email. I'm at work right now."
HexV3ctor: "Absolutely, Alex. We understand you're doing your best to cope, and we're here to assist in any way we can. Please look out for an email from FEMA and follow the instructions within. Rest assured, we're with you through this difficult time."
Alex thanks the 'FEMA agent' and soon receives an email that appears to be from FEMA. Trusting the call he had earlier, he clicks the provided link, unknowingly compromising his work network. Days later, the company discovers a network breach, leading to severe consequences.📣 Insights of the vishing scenario for discussion
The attacker is a smooth cyber criminal. Here are some key points:
The attacker poses to be an official from the federal government. Posing as a figure of authority, giving them automatic street cred.
In this social engineering example, there is a level of sympathy that strikes on some emotional chords.
The information that the hacker is asking for doesn’t seem that personal. Getting them to break this barrier is key in the process. The trust bridge has been established at this point.
Urgency is the next key insight. This makes the victim vulnerable. Assuring that they are going to help expedite the process. Who doesn't want to save some time? If you want fast, then you have to divulge information with urgency as well.
We don’t have the best judgement in urgent and emotional situations. Hackers operate in this state, and use it to their advantage. When that email comes in with the official-looking FEMA logo, the chances the victim will click on the link is high.
The cyber landscape is evolving rapidly, and we have to learn to adapt just as quickly. The end users have evolved to be the front line guardians of a company's assets, reputation, and compliance requirements. Tabletop exercises can be a time to learn, share insights, and strategize for the future.
