WHAT IS A SOCIAL ENGINEERING ATTACK?

By: Michael Swanagan, CISSP, CISA, CISM

Social engineering is  the psychological manipulation of people into performing actions or divulging confidential information.

Recent studies found that 98% of cyber  attacks rely on some form of social engineering.

WHY DO SOCIAL ENGINEERING ATTACKS WORK?

People tend to return a favor, hence the pervasiveness of  free samples in marketing.

1. Reciprocity

People who commit to an idea or goal (orally or in writing) are more likely to honor the commitment.

2. Commitment

People will do things that they see others doing.

3. Social Proof

People will tend to obey authority figures, even if they're asked by those figures to perform objectionable acts.

4. Authority

Precieved scarcity will generate demand/ For example, saying offers are availble for a "limited time only."

5. Scarcity

WHAT ARE COMMON SOCIAL ENGINEERING ATTACKS?

Phishing refers to an attack that is sent in the form of a link embedded within an email.

Phishing:

A watering hole attack injects malicious code into public web pages of a site that the target visits.

Watering Hole:

An attacker impersonates an external IT services operator to ask internal staff for information to access the network.

Pretexting:

Whaling is similar to phishing, however, the attack targets high value individuals such as executives or celebrities.

Whaling:

Tailgating involves an attacker seeking entery to a restricted area that lacks the proper authentication.

Tailgating:

HOW DO YOU PREVENT SOCIAL ENGINEERING ATTACKS?

Many companies conduct security awareness exercises to inform employees of security best practices.

Security Awareness:

Be suspecious of unsolicated phone calls, visits, or email messages from individuals asking about internal information.

Be Suspecious:

Don't provide personal information unless you're certain of the person's authority.

Personal Info:

Don't reveal  personal or finacial information in email or respond to email solications for this information.

Financial Info:

Don't send sensitive information over the internet before checking the website's security.

Sensitive Info:

Malicious websites may look identical to a legitimate site, but the URL may use a variation in spelling or a different domain (.com, .net, .io, etc.)

Suspcious URLs:

Verify requests by contacting the company directly or check previous statements for contact information. 

Verify Companies:

Install and maintain antivirus software, firewalls, and email filters.

Install Mitigations:

Protect Your Business

sales@purplesec.us

✔ Speak with a cyber security expert on the first call

✔ Develop a custom-tailored technical scope of work

✔ Deliver a high value report with remediation steps.