Social engineering is recognized as one of the greatest security threats facing organizations. It is extremely effective because the attacks are persuasive and very deceptive.
According to a recent cyber security report, 98% of cyber-attacks rely on some form of social engineering. The report also mentions that 21% of current or former employees use Social engineering to gain financial advantage or revenge.
One of the most alarming threats reported from the article is that Social engineering attempts spiked more than 500% from the first to second quarter of 2018.
What Is A Social Engineering Attack And How Does It Work?
Social engineering attacks can come in many forms, but let’s first understand the term in more detail. Social engineering is defined as the psychological manipulation of people into performing actions or divulging confidential information.
It sounds like a Jedi mind trick, but in reality, it is a trick based on human perception. Social engineering is the number one threat because it plays on our behavior and tendencies to trust.
Who Is Most At Risk Of Social Engineering Attacks?
Candidates for a social engineering attack can range from a corporate executive to an elementary school student. Even the most seasoned IT professional can be victimized by this type of attack.
Interestingly, social engineering is also reported to rely on principles of influence. If this is the case, anyone exposed to the news media, advertising, a computer or smartphone connected to the Internet is susceptible to this attack.
Note an excerpt from a report describing the principles of influence, which addresses why social engineering works so well today.
- Reciprocity – People tend to return a favor, hence the pervasiveness of free samples in marketing.
- Commitment and consistency – If people commit to an idea or goal (orally or in writing), they are more likely to honor that commitment because it’s now congruent with their self-image. Even if the original incentive or motivation is removed after they have already committed, people will continue to honor the agreement.
- Social proof – People will do things that they see others doing.
- Authority – People will tend to obey authority figures, even if they’re asked by those figures to perform objectionable acts.
- Liking – People are easily persuaded by others that they like.
- Scarcity – Perceived scarcity will generate demand. For example, by saying offers are available for a “limited time only,” retailers encourage sales.
The good news is that we have an understanding of the problem, but at the same malicious actors have already created systems in place to exploit the above principles of human behavior.
What Are Common Types of Social Engineering Techniques?
The most common types of social engineering techniques include phishing, water hole attacks, pretexting, whaling and tailgating.
1. Phishing Attacks
No, this isn’t a typo. Phishing refers to an attack that is usually sent in the form of a link embedded within an email. The email is disguised and looks like an email from a reliable source, but in reality, it’s a link to a malicious site.
2. Watering Hole
A watering hole attack consists of injecting malicious code into the public Web pages of a site that the targets used to visit. The method of injection is not new, and it is commonly used by cyber criminals and hackers. The attackers compromise websites within a specific sector that are ordinary visited by specific individuals of interest for the attacks.
An attacker can impersonate an external IT services operator to ask internal staff for information that could allow accessing system within the organization.
4. Whaling Attacks
Whaling adopts the same methods of spear phishing attacks, but the scam email is designed to masquerade as a critical business email sent from a legitimate authority, typically from relevant executives of important organizations. The word whaling is used, indicating that the target is a big fish to capture.
The tailgating attack, also known as “piggybacking,” involves an attacker seeking entry to a restricted area that lacks the proper authentication.
The attacker can simply walk in behind a person who is authorized to access the area. In a typical attack scenario, a person impersonates a delivery driver or a caretaker who is packed with parcels and waits when an employee opens their door.
Example Of A Social Engineering Attack
I didn’t have to look far to find an example. I’ll share an incident involving a recent email that appeared our mailbox.
Appears the attacker had everything right. The logo looks legitimate and I do have an account with this vendor, but something looked amiss. Now mind you, I first saw this on my mobile device and I didn’t open any links. So I decided I needed to take a closer look at this on my desktop computer.
First rule of thumb when you believe an email is suspicious or have that why I received this email feeling, DO NOT CLICK any URL’s or links in the email. I’ll explain later, but first take a close look at the sender email address (Note the explanation in the text box below).
So what did I avoid by not clicking this suspicious email? I avoided exposing my user name and password to what appears to be a phony web site. They possibly could have asked for a credit card or my personal bank information. Once they have my account info, game over.
To put this in perspective, imagine this attack being replicated 1,000 times daily for a year to a million people.
It’s astounding to calculate, but that’s the reality of why social engineering ranks high as a cyber security attack.
How Do You Prevent Social Engineering Attacks?
There are a variety of ways to prevent social engineering attacks. Many corporate environments conduct security awareness exercises throughout the year to inform their employees of security best practices in the workplace.
It’s commonplace also to see companies simulate phishing attacks by sending fake emails to their employees to test their behavior.
You can prevent social engineering attacks, whether in the office or on a personal device by following these recommendations.
Be suspicious of unsolicited phone calls, visits, or email messages from individuals asking about employees or other internal information. If an unknown individual claims to be from a legitimate organization, try to verify his or her identity directly with the company.
Do Not Provide Personal Information
Do not provide personal information or information about your organization, including its structure or networks, unless you are certain of a person’s authority to have the information.
Do Not Provide Financial Information
Do not reveal personal or financial information in email, and do not respond to email solicitations for this information. This includes following links sent in email.
Don’t Send Sensitive Information
Don’t send sensitive information over the internet before checking a website’s security. (See Protecting Your Privacy for more information.)
Pay Attention To URLs
Pay attention to the Uniform Resource Locator (URL) of a website. Malicious websites may look identical to a legitimate site, but the URL may use a variation in spelling or a different domain (e.g., .com vs. .net).
Verify The Company Contacting You
If you are unsure whether an email request is legitimate, try to verify it by contacting the company directly. Do not use contact information provided on a website connected to the request; instead, check previous statements for contact information. Information about known phishing attacks is also available online from groups such as the Anti-Phishing Working Group. (See the APWG eCrime Research Papers).
Install Attack Mitigations
Install and maintain anti-virus software, firewalls, and email filters to reduce some of this traffic. (See Understanding Firewalls, Understanding Anti-Virus Software, and Reducing Spam for more information.) Finally, take advantage of any anti-phishing features offered by your email client and web browser.