What is the greatest security threat we face today?
Depending on where this finds you, it may be physical harm or theft of physical, movable property; but on a global scale, today, social engineering is seen as one of the greatest security threats facing organisations and individuals at large, with an estimated 66% of all attacks by hackers, hacktivists and various other criminals being carried out using social engineering.
What is Social Engineering?
Social engineering is defined as any act that influences a person to take an action that may or may not be in their best interest. Simply put, social engineers are con artists, looking to trick you into giving up something you otherwise normally wouldn’t. A modern form of fraudster looking to take advantage of human behaviour to pull off a scam. Social engineering differs from traditional hacking in the sense that it doesn’t necessarily involve the compromise or exploitation of software or systems – it Hacks the Human. When successful, many social engineering attacks enable attackers to gain legitimate, authorised access to confidential information.
This may come down to social engineers gaining physical access to a building, sending emails from a trusted co-workers account, offering you something like a gift or freebee in return for information, or a link with something interesting that looks like it came from Facebook, LinkedIn or a friend. Remember, if it looks too good to be true, it usually is!
While there are technological solutions that help mitigate social engineering (such as email filters, firewalls, and network or data monitoring tools), being educated and able to recognise and avoid common social engineering tactics is ultimately the best defence against these schemes.
Here is a breakdown of common social engineering techniques:
Image Source: Social Engineering Inc.
Baiting – Attackers conduct baiting attacks when they leave a malware-infected device, such as a USB flash drive or CD, in a place where someone likely will find it. The success of a baiting attack hinges on the idea that the person who finds the device will load it into their computer and unknowingly install the malware. Once installed, the malware allows the attacker to advance into the victim’s system.
Phishing – Phishing occurs when an attacker makes fraudulent communications with a victim that are disguised as legitimate, often claiming or seeming to be from a trusted source. In a phishing attack the recipient is tricked into installing malware on their device or sharing personal, financial, or business information. Email is the most popular mode of communication for phishing attacks, but phishing may also utilise chat applications, social media, phone calls, or spoofed websites designed to look legitimate. Some of the worst phishing attacks make charity pleas after natural disasters or tragedies strike, exploiting people’s goodwill and urging them to donate to a cause by inputting personal or payment information.
Impersonation – or ‘Pretexting’ occurs when an attacker fabricates false circumstances to compel a victim into providing access to sensitive data or protected systems. Examples of pretexting attacks include a scammer pretending to need financial data in order to confirm the identity of the recipient or masquerading as a trusted entity such as a member of the company’s IT department in order to trick the victim into divulging login credentials or granting computer access.
Quid pro quo – A quid pro quo attack occurs when attackers request private information from someone in exchange for something desirable orsome type of compensation. For instance, an attacker requests login credentials in exchange for a free gift. Remember, if it sounds too good to be true, it probably is.
Spear phishing – Spear phishing is a highly targeted type of phishing attack that focuses on a specific individual or organisation. Spear phishing attacks use personal information that is specific to the recipient in order gain trust and appear more legitimate. Often times this information is taken from victims’ social media accounts or other online activity. By personalising their phishing tactics, spear phishers have higher success rates for tricking victims into granting access or divulging sensitive information such as financial data or tradesecrets.
Tailgating – Tailgating is a physical social engineering technique that occurs when unauthorised individuals follow authorised individualsinto an otherwise secure location. The goal of tailgating is to obtain valuable property or confidential information. Tailgating could occur when someone asks you to hold the door open because they forgot their access card or asks to borrow your phone or laptop to complete a simple task and instead installs malware or steals data.
People inherently want to trust, that’s what a successful social engineering attack comes down to. If someone sends a co-worker an e-mail and it says that it’s from another co-worker, most people are going to look at that and want to trust it and end up opening it, especiallyif it relates to something real and specific. And most people will actually click on whatever is in the body of the e-mail too.
To avoid becoming a social engineer victim start treating all emails and online messages with some suspicion. Immaterial of whether the message is from a friend, co-worker or stranger – if it contains attachments, website links, or a request for personal information or passwords, then your alarm bells should start going off. Stay safe. Check out our Top 10 Tips to stay safe online.
CybACADEMY courses powered by GoldPhish® educates employees on the cyber risk and helps build a more secure organisation with awareness training.
Our current FREE100 Campaign is aimed at helping smaller businesses get one step ahead of the cyber criminals with Free awareness training.