The term social engineering refers to the psychological manipulation of an individual through person-to-person communication in order to gain access to private information. This differentiates it from other cyber security threats, which are typically thought of as being remote or impersonal. Social engineering attacks rely on the uniquely human element of compassion, in order to take advantage and steal from you and your employees.
A Social Attack
Social engineering attacks are most commonly used to target organizations and gain access to their IT systems and sensitive information. Attackers use many different techniques to deceive, usually claiming to be a fellow employee or IT expert. They may also pose as distressed customers, researchers or other repair personnel. They can also provide falsified credentials to support their claim.
Their main objective is to use various questions to gain just the right amount of information to piece together access to bank accounts, databases or enter networks in order to plant spyware and other types of malware. Sometimes they will target multiple people within an organization to gain credibility by repeating the information they were able to previously gather.
The most frightening concept surrounding social engineering attacks is that they rely on human error to succeed, rather than weaknesses in software for example. This makes them harder to predict and identify. That is why it is crucial to educate yourself and your employees on what these attacks look like and how to avoid them.
Types and Indicators
The most commonly used method of a social engineering attack is phishing. These are usually in the form of emails or websites created to look like something you would receive every day. Attackers can even spoof email addresses to make it seem like your company’s IT expert is requesting information or sending links to helpful sites-- when in reality there is malware embedded and the questions are meant to gain access to private information.
Here are some common examples of what phishing emails can look like:
These attacks can even come over the phone, referred to as Vishing. Voice communication is used to record your employee’s responses and then later repeated to gain access to accounts that use voice activation, or to fool another member of your organization into giving up more information. When this is done over text it is called Smishing.
Constant vigilance from your employees is going to be necessary in order to stay ahead of social engineering attacks within your company. Attackers are resourceful, and will often gain as much information as possible from social media and company websites in order to look credible before they attempt to infiltrate your organization. Just because something looks legitimate doesn’t mean it is. Here are some common indicators of attacks to watch out for:
- Suspicious email addresses: Be mindful of addresses that are similar to that of legitimate companies with just a few characters omitted or altered. As stated previously these can also be spoofed, if a trusted address is using a generic greeting instead of referring to you by name, it could be a red flag and you should verify with the actual individual before replying.
- Hyperlinks: These are also commonly spoofed by attackers. Always hover your cursor over the link to ensure it matches the text before you click it.
- Layout and Spelling: Phishing emails are more prone to spelling and grammar mistakes, this is a good indication they are illegitimate as reputable organizations have dedicated staff to edit correspondence before it goes out.
A good rule of thumb is to never give out information to unsolicited callers or emails. If the request is legitimate then there will be no problem in requiring verification directly from the institution beforehand. Do not take any credentials at face value, always double-check with trusted sources.
There are other types of social engineering attacks besides phishing to make your employees aware of :
- Scareware: This term refers to false alarms and threats that are meant to scare the user into downloading malware under the guise of antivirus software.
- Pretexting: This is a technique using different scenarios to trick the victim into feeling compassion for the attacker and therefore trusting them with sensitive information. For instance, an attacker may call claiming they need access to private information because a family member is in the hospital. Other scenarios can include impersonating police officers, bank personnel or tax officials in order to fool the employee into giving up information or access to records. Fake surveys and audits are some of the most common pretexts used by attackers.
Knowledge: The Key To Prevention
Training your employees on what social engineering attacks look like and how to respond when it inevitably happens is going to be your best line of defense. However, there are other methods of protection to consider like Data Leak Prevention software. This would be most beneficial for large companies with many employees. The software monitors the data you have in storage and will send alerts or trigger alarms when information is being sent, so you can always stay aware of who is sending information and verify it is going to a reputable source.
Other best practices include setting up Multi-factor Authentication for all of your accounts and keeping your antivirus software up-to-date.
Social engineering attacks are done by humans, on humans. So it is a logical conclusion that despite all of the firewalls and software we use to implement security-- they’re all just back up for our ultimate defense, the humans we employ. This is why security training highlighting social engineering attacks is vital to mitigate the risks and keep your company safe.