1
00:00:07,010 --> 00:00:08,000
Welcome back.

2
00:00:08,010 --> 00:00:13,820
In this section, we're going to learn about social engineering, this is one of the most powerful tools

3
00:00:14,090 --> 00:00:19,790
for breaking into any computer system or network, and it's one of the most important techniques you

4
00:00:19,790 --> 00:00:26,720
need to be able to understand to block these kinds of attacks, whether this is coming from a computer

5
00:00:26,720 --> 00:00:32,270
hacker, from an attacker on the outside or on the inside of your organization, whether it's coming

6
00:00:32,270 --> 00:00:37,730
from a con artist out in real life or a predator, either online or in the real world, you need to

7
00:00:37,730 --> 00:00:44,120
understand these types of techniques that social engineering attackers use so that you can keep yourself

8
00:00:44,120 --> 00:00:46,510
safe, both online and in the real world.

9
00:00:46,940 --> 00:00:53,540
The number one type of online social engineering attack, both because it's the most prevalent and because

10
00:00:53,540 --> 00:00:56,870
it's one of the most successful, is called phishing.

11
00:00:57,310 --> 00:01:04,100
This is phishing with a I say J.A.G. It's the number one attack because it's so easy to do to so many

12
00:01:04,100 --> 00:01:04,490
people.

13
00:01:05,330 --> 00:01:10,490
If you've ever gotten a phishing email before, it looks like it comes from someone official like your

14
00:01:10,490 --> 00:01:14,750
bank, your employer, your school, your family member or friend.

15
00:01:15,050 --> 00:01:22,550
And it looks like an email asking you to log in and check out an account activity or to check in to

16
00:01:22,550 --> 00:01:25,960
help a friend out who's someplace else traveling in the world, for example.

17
00:01:26,450 --> 00:01:31,580
So it looks like it's coming to you from someone that you recognize, someone that you do business with

18
00:01:31,580 --> 00:01:33,380
your eBay or your PayPal account.

19
00:01:33,980 --> 00:01:38,750
But when it comes to phishing, they're just trying to get your credentials, your username and your

20
00:01:38,750 --> 00:01:42,110
password to hack into your account.

21
00:01:42,500 --> 00:01:48,530
And unfortunately, phishing is number one, because it's so effective, everybody, that this isn't

22
00:01:48,530 --> 00:01:50,810
just something that people do because they're dumb.

23
00:01:50,810 --> 00:01:52,640
It's because we all get distracted.

24
00:01:52,940 --> 00:01:59,480
We all get we are all susceptible to the same types of social engineering techniques.

25
00:01:59,690 --> 00:02:02,690
That's why it's really important to understand how this happens.

26
00:02:03,040 --> 00:02:08,060
Well, phishing is just sending an email and trying to get you to click through a link or to give up

27
00:02:08,270 --> 00:02:09,320
your information.

28
00:02:09,650 --> 00:02:12,200
But it's based on some other social engineering techniques.

29
00:02:12,200 --> 00:02:15,590
And these all work together in a really effective attack.

30
00:02:15,920 --> 00:02:17,780
Pretexting is the first of those.

31
00:02:18,110 --> 00:02:23,390
Pretexting is pretending to be someone you're not or setting up a false pretext, a false situation.

32
00:02:23,660 --> 00:02:27,740
So you say you're calling from corporate or you're calling from computer support.

33
00:02:28,040 --> 00:02:32,240
You say that this you're this is an email from a friend who's in trouble.

34
00:02:32,240 --> 00:02:34,520
They're traveling someplace and they need some money.

35
00:02:34,790 --> 00:02:38,870
They weren't able to pay their hotel bill or they got arrested and they need access to a lawyer.

36
00:02:39,170 --> 00:02:43,220
There are lots of pretexts that people use, both online and in the real world.

37
00:02:44,120 --> 00:02:48,260
A predator might say, I'm a friend of your dad's, I'm a friend of your mom's.

38
00:02:48,530 --> 00:02:51,080
You have to understand and you have to talk with your kids.

39
00:02:51,080 --> 00:02:57,800
You have to talk with your family members about social engineering, both online and in the real world.

40
00:02:58,040 --> 00:03:03,590
In a chat room, some would say that they are in your class or they're also in the same grade as you

41
00:03:03,590 --> 00:03:06,980
or they work for the same company or in the same kind of job.

42
00:03:08,460 --> 00:03:14,280
Pretexting just means using some false information or made up information to try to make a connection

43
00:03:14,280 --> 00:03:15,030
with the user.

44
00:03:15,060 --> 00:03:17,430
You'll see that in phishing emails.

45
00:03:17,670 --> 00:03:24,390
You will also see that in other online and real world attacks, beating a great example is someone leaves

46
00:03:24,390 --> 00:03:27,270
a USB drive out in the parking lot of your company.

47
00:03:27,630 --> 00:03:32,790
And natural thing for people to do, unfortunately, is pick up that USB drive and plug it in to see

48
00:03:32,790 --> 00:03:35,080
who it might be along, to see what might be on it.

49
00:03:35,430 --> 00:03:40,620
Unfortunately, if they put malware on there, it may have just attacked your network from the inside

50
00:03:40,620 --> 00:03:41,550
unintentionally.

51
00:03:42,120 --> 00:03:43,740
You didn't know you were doing anything wrong.

52
00:03:43,740 --> 00:03:48,580
But this is something important to train employees about and train your family about as well.

53
00:03:48,600 --> 00:03:54,350
Don't just pick up a USB drive or accept a free download or free software.

54
00:03:55,320 --> 00:03:58,560
Sometimes that clip can take you to a website that is compromised.

55
00:03:59,470 --> 00:04:04,840
Quid pro quo is a common social engineering technique that means you'll get a little something if you

56
00:04:04,840 --> 00:04:06,220
do something for me.

57
00:04:07,320 --> 00:04:12,910
The Nigerian prince email scams are terrific and terrible example of this.

58
00:04:13,270 --> 00:04:18,970
If you will help us get this money out of the country, then we will send you a portion of it or we'll

59
00:04:18,970 --> 00:04:20,470
let you keep a portion of it.

60
00:04:21,120 --> 00:04:25,570
Or it could be just something as simple as, hey, if you'll do this for me, I'll send you this information

61
00:04:25,570 --> 00:04:27,370
or I'll give you some money.

62
00:04:28,030 --> 00:04:31,690
Quid pro quo is what makes these types of attacks.

63
00:04:31,690 --> 00:04:33,070
Just means this for that.

64
00:04:33,370 --> 00:04:35,070
Something for something else.

65
00:04:36,630 --> 00:04:42,150
Another common attack is tailgating in this can happen both online and in the real world, the most

66
00:04:42,150 --> 00:04:47,010
common way that tailgating is used is you stand outside a building with some employees, maybe in a

67
00:04:47,010 --> 00:04:51,990
smoke break area, and then when they go in back into work, after you struck up a few conversations,

68
00:04:51,990 --> 00:04:57,570
you just follow one of them in or you come in holding a package in your hands and you wait until someone

69
00:04:57,570 --> 00:05:02,010
comes to the door, you walk in right behind them and it allows you to gain access to a building.

70
00:05:02,020 --> 00:05:05,850
You've seen this in movies and in television crime shows before.

71
00:05:06,090 --> 00:05:08,490
Tailgating is a real thing in real life.

72
00:05:08,490 --> 00:05:12,600
It can give someone access to the computers in your network, your physical premises.

73
00:05:12,840 --> 00:05:18,390
And as we saw back in the very first section, physical access can mean total access.

74
00:05:18,600 --> 00:05:23,640
If someone can touch your computer, they may be able to own your computer and your network.

75
00:05:24,150 --> 00:05:29,070
This next to last example I'm going to give you this thing is just a voice form of phishing.

76
00:05:29,250 --> 00:05:34,950
So someone makes a phone call and pretends to be someone that they're not a company it support.

77
00:05:35,910 --> 00:05:39,540
You'll also see this as smooshing SMS phishing.

78
00:05:39,720 --> 00:05:45,960
That's where someone sends you a simple message service or text message, pretending to be your bank,

79
00:05:45,960 --> 00:05:50,460
pretending to be your employer, pretending to be an attorney, pretending to be the IRS.

80
00:05:50,460 --> 00:05:56,130
They'll leave you messages or they'll call you up on the phone and they can even fake the the caller

81
00:05:56,130 --> 00:06:03,420
ID number on your telephone and make you believe that it really is a call from one 800 and some government

82
00:06:03,420 --> 00:06:04,020
agency.

83
00:06:04,650 --> 00:06:07,660
You have to be very careful not to give out any information.

84
00:06:07,680 --> 00:06:12,480
Remember, the IRS does not call most law enforcement agencies don't make phone calls.

85
00:06:12,780 --> 00:06:18,450
They either send certified mail if it's the IRS or they will come in person if it's law enforcement.

86
00:06:19,350 --> 00:06:23,310
The last example is the one we're actually going to work through in this section.

87
00:06:23,670 --> 00:06:29,730
We are going to create a phishing attack, but not just a phishing attack, a spear phishing attack.

88
00:06:29,940 --> 00:06:37,620
We're going to customize a fake phishing email for a particular individual or group of individuals.

89
00:06:37,620 --> 00:06:43,830
Spearfishing is where you use some special information about the person to try to get a particular individuals

90
00:06:44,100 --> 00:06:44,850
information.

91
00:06:44,850 --> 00:06:50,280
Sometimes we call this whale phishing when we're going for the top person in an organization.

92
00:06:50,820 --> 00:06:57,630
A great example, a sad example of spearfishing was when the Democratic National Convention was hacked

93
00:06:57,630 --> 00:07:00,870
and the United States during the 2016 election cycle.

94
00:07:01,620 --> 00:07:08,760
There were just a couple of key administrative accounts, key users who fell for a well, not simple,

95
00:07:08,760 --> 00:07:12,390
but relatively sophisticated phishing attack like we're going to see how to build.

96
00:07:12,840 --> 00:07:17,220
And they, unfortunately, unwittingly gave access to outside attackers.

97
00:07:18,230 --> 00:07:24,370
So fishing and spearfishing are real techniques, all of these are real things we need to know about,

98
00:07:24,410 --> 00:07:30,350
talk about with our families, with our employees and understand better so that we can avoid falling

99
00:07:30,350 --> 00:07:32,900
for the social engineering types of attacks.

100
00:07:33,740 --> 00:07:36,250
Usually they'll come with some sense of urgency.

101
00:07:36,260 --> 00:07:40,910
So someone will work in the pretext that you have to help me with this tomorrow.

102
00:07:41,150 --> 00:07:43,400
You need to do this before the end of the day.

103
00:07:43,400 --> 00:07:44,900
Somebody hacked into your account.

104
00:07:44,900 --> 00:07:46,400
You need to take care of it right away.

105
00:07:46,700 --> 00:07:51,320
You've got to be able to understand these techniques so that you can recognize the signs of a phishing

106
00:07:51,320 --> 00:07:53,580
attack and avoid the impact.

107
00:07:54,110 --> 00:07:56,570
We'll see how to do that in this entire section.