As social engineering attacks continue to grow in sophistication and frequency, companies should look to employee education as a first line of defense. Learn how to recognize and avoid social engineering attacks in this installment of our Data Protection 101 series.
A Definition of Social Engineering
Social engineering is a non-technical strategy cyber attackers use that relies heavily on human interaction and often involves tricking people into breaking standard security practices. The success of social engineering techniques depends on attackers’ ability to manipulate victims into performing certain actions or providing confidential information. Today, social engineering is recognized as one of the greatest security threats facing organizations. Social engineering differs from traditional hacking in the sense that social engineering attacks can be non-technical and don’t necessarily involve the compromise or exploitation of software or systems. When successful, many social engineering attacks enable attackers to gain legitimate, authorized access to confidential information.
The Why and How of Social Engineering
Social engineers are a modern day form of fraudsters or con artists. They may attempt to access computer networks or data stores by gaining the confidence of authorized users or stealing those users’ credentials in order to masquerade as trusted insiders. It is common for social engineers to rely on the natural helpfulness of people or to attempt to exploit their perceived personality weaknesses. For example, they may call with a feigned urgent problem that requires immediate network access. Social engineers have been known to appeal to vanity, authority, greed, or other information gleaned from eavesdropping or online sleuthing, often via social media.
Cyber criminals use social engineering tactics in order to convince people to open email attachments infected with malware, persuade unsuspecting individuals to divulge sensitive information, or even scare people into installing and running malware.
Insider Threat Protection
Types of Social Engineering Attacks
Your organization should take steps toward educating employees on the common types of social engineering attacks, including baiting, phishing, pretexting, quid pro quo, spear phishing, and tailgating. While there are technological solutions that help mitigate social engineering (such as email filters, firewalls, and network or data monitoring tools), having an employee base that is able to recognize and avoid common social engineering tactics is ultimately the best defense against these schemes. Here is a breakdown of common social engineering techniques:
- Baiting – Attackers conduct baiting attacks when they leave a malware-infected device, such as a USB flash drive or CD, in a place where someone likely will find it. The success of a baiting attack hinges on the notion that the person who finds the device will load it into their computer and unknowingly install the malware. Once installed, the malware allows the attacker to advance into the victim’s system.
- Phishing – Phishing occurs when an attacker makes fraudulent communications with a victim that are disguised as legitimate, often claiming or seeming to be from a trusted source. In a phishing attack the recipient is tricked into installing malware on their device or sharing personal, financial, or business information. Email is the most popular mode of communication for phishing attacks, but phishing may also utilize chat applications, social media, phone calls, or spoofed websites designed to look legitimate. Some of the worst phishing attacks make charity pleas after natural disasters or tragedies strike, exploiting people’s goodwill and urging them to donate to a cause by inputting personal or payment information.
- Pretexting – Pretexting occurs when an attacker fabricates false circumstances to compel a victim into providing access to sensitive data or protected systems. Examples of pretexting attacks include a scammer pretending to need financial data in order to confirm the identity of the recipient or masquerading as a trusted entity such as a member of the company’s IT department in order to trick the victim into divulging login credentials or granting computer access.
- Quid pro quo – A quid pro quo attack occurs when attackers request private information from someone in exchange for something desirable or some type of compensation. For instance, an attacker requests login credentials in exchange for a free gift. Remember, if it sounds too good to be true, it probably is.
- Spear phishing – Spear phishing is a highly targeted type of phishing attack that focuses on a specific individual or organization. Spear phishing attacks use personal information that is specific to the recipient in order gain trust and appear more legitimate. Often times this information is taken from victims’ social media accounts or other online activity. By personalizing their phishing tactics, spear phishers have higher success rates for tricking victims into granting access or divulging sensitive information such as financial data or trade secrets.
- Tailgating – Tailgating is a physical social engineering technique that occurs when unauthorized individuals follow authorized individuals into an otherwise secure location. The goal of tailgating is to obtain valuable property or confidential information. Tailgating could occur when someone asks you to hold the door open because they forgot their access card or asks to borrow your phone or laptop to complete a simple task and instead installs malware or steals data.
Social engineering is a serious and ongoing threat for many organizations and individual consumers who fall victim to these cons. Education is the first step in preventing your organization from falling victim to savvy attackers employing increasingly sophisticated social engineering methods to gain access to sensitive data.