Social Engineering :

Understanding the Dangers

National Digital Payments Network Sdn Bhd

July 2023

07/08/2023 CONFIDENTIAL 1
 Social Engineering Methods

07/08/2023 CONFIDENTIAL 2
 What is Social Engineering?
The definition

“Social Engineering refers to the manipulation of individuals to obtain

confidential information or gain unauthorised access”

• Instead of exploiting technical vulnerabilities from infrastructure or software, it exploits human psychology.

• Attackers will often use deceptive tactics to trick individuals into revealing sensitive information or
performing actions that compromise security

07/08/2023 CONFIDENTIAL 3
 Phishing Attacks
Summary of Phishing Attacks

• The most common and prevalent social engineering

attacks.

• It involves fraudulent emails or messages designed to

trick recipients into revealing sensitive information or
performing malicious attacks.

• Examples include email scams, fake login pages, and

requests for personal or financial details.

• Phishing attacks can lead to identity theft, financial

loss, and unauthorised access to systems

07/08/2023 CONFIDENTIAL 4
 Examples of Phishing Attacks
Example 1 - PayPal

07/08/2023 CONFIDENTIAL 5
 Examples of Phishing Attacks
Example 2 – HTML Attachment

07/08/2023 CONFIDENTIAL 6
 Pretexting Attacks
Summary of Pretexting Attacks

While Phishing relies on fear and urgency, Attackers may impersonate colleagues,
Pretexting aims to build a sense of trust with authorities, or trusted entities to deceive
the victim victims.

They often use phone calls or emails to

Pretexting attacks can result in data
gather sensitive information or persuade
breaches, unauthorized access, or
individuals to take certain actions.
compromise of our infrastructure.

07/08/2023 CONFIDENTIAL 7
 Pretexting Attacks
Summary of Pretexting Attacks

07/08/2023 CONFIDENTIAL 8
 Pretexting Examples
Famous Pretexting Events

• In 2006, Hewlett-Packard hired private investigators to see if board members were leaking news to the
press. To do this, the PI’s posed as board members and managed to extract their call records from
phone companies.

• In 2015, Ubiquiti Networks Inc. transferred $39.1 million dollars to a scammer posing as a trusted
employee acting on behalf of top executives. This is also known as a CEO fraud scam.

• In 2017, MacEwan University transferred $9 million dollars to a fraudster posing as a vendor and
requesting staff members to update their payment details via email.

07/08/2023 CONFIDENTIAL 9
 Pretexting Techniques
Common Pretexting Techniques

• Impersonation – Mimics the actions of someone else, typically a person the victims trusts, such as a friend or co-
worker. This requires establishing credibility, usually done through phone numbers or email addresses of fake
organizations or people.

• Tailgating/Piggybacking – Gaining unauthorised entry into physical secured locations by posing as an authorised
individual, or by detecting faults in security or processes. Pretending to have misplaces tags/posing as a vendor.

• Baiting – Lures a target into a trap to steal sensitive information or spread malware. Possibly involves giving them
a flash drive with malware on it. The bait frequently has authentic looking elements on it such as company logo.

• Scareware – Overwhelms targets with messages of fake dangers. For example, a scareware attack may fool a target
into thinking malware has been installed on their computer. The victim is then asked install “security” software,
which is actually malware.

07/08/2023 CONFIDENTIAL 10
 2023 Phishing Tactics
New tactics used by Fraudsters to bypass filters

07/08/2023 CONFIDENTIAL 11
 Translation-Based Phishing
Using Google Translate to Mask URL

07/08/2023 CONFIDENTIAL 12
 Image-Based Phishing
No text in email bypassing phishing text detection

07/08/2023 CONFIDENTIAL 13
 Use of Special Characters
Using special characters to bypass Phishing filters

07/08/2023 CONFIDENTIAL 14
 Detecting Attacks

07/08/2023 CONFIDENTIAL 15
 Recognising Social Engineering Attacks

• Be wary of unsolicited requests for sensitive information or financial details.

• Pay attention to email addresses, URLs, and the overall legitimacy of communication.

• Verify requests through independent channels (e.g., phone calls) rather than relying solely on emails.

• Implement multi-factor authentication for critical systems and services.

• Regularly educate employees about the latest social engineering techniques and tactics.

• If you are ever unsure, don’t be afraid to ask.

07/08/2023 CONFIDENTIAL 16
 Quiz

07/08/2023 CONFIDENTIAL 17
 Thank You

National Digital Payments Network Sdn Bhd

Level 5, Ministry of Finance and Economy Building
Commonwealth Drive BB3910
Brunei Darussalam

07/08/2023 CONFIDENTIAL 18