What is social engineering and how can you protect your organization?
Social engineering, a broad term that covers several attacks from a hacker to their victim, is a type of crime that manipulates people into giving up their confidential information to bad actors.
Rather than hacking someone’s account, masters of social engineering work to acquire sensitive information through means of trust.
The main philosophy of social engineering is that it’s easier and more effective to exploit the natural human tendency to trust than it is to hack an account using brute force or other means of password cracking.
Types of social engineering attacks
Social engineering has proven to be a very successful way for a criminal to “get inside” your organization. It can happen online or offline through acquiring sensitive information or by physically entering a facility. Here are some common schemes:
Classified as a cybercrime, phishing occurs when someone tries to lure a target by posing as a legitimate source in order to obtain sensitive information such as usernames, passwords, bank and credit card information. Targets are usually sent bogus emails, but can also receive phone calls or texts.
Baiting is when an attacker “baits” their victim using something highly desirable to lure them in – like a free movie download, a device-like USB flash drive or a cellphone. Once the victim downloads or connects to the bait, they will be promptly infected with malware.
Quid pro quo
A quid pro quo attack occurs when a hacker promises a benefit in exchange for information. This type of scenario is commonly known as a “something for something” attack. For example, a hacker could pose as a company’s IT support specialist, offering a software upgrade in exchange for victims to temporarily turn off their antivirus software to install malware.
Email hacking and contact spamming
Email hacking and contact spamming are when an attacker sends messages via email with malicious intent. In order to gain access, attackers use a familiar email so victims will comply with their request. Once the attacker gains access to a victim’s email account, they’ll spam their entire address book with the ultimate goal of receiving sensitive information.
Piggybacking is the attempt to gain unauthorized access to restricted areas through employees who don’t check references and automatically trust those around them.
For instance, you’re in the office and someone asks if you can hold the door open because they’ve forgotten their access key or RFID card. Are you sure they are an employee? Or are they trying to gain access into a restricted area or system?
A prime example of piggybacking is one Chris Nickerson, founder of security consultancy company Lares, recently shared with CSO. In his example, Nickerson discussed how he and his team piggybacked into an organization through a combination of:
- Knowledge of current events
- Researched public information
- Thrift store purchased ‘Cisco’ shirt
Nickerson said the shirt helped him convince employees at his targeted organization that he was a Cisco employee on a technical support visit, and was able to obtain illegal entry. Once inside, he was able to drop USBs with viruses throughout the organization and hacked the company’s network.
How to Protect Yourself From Social Engineering Attacks
- Ensure your devices and routers have firewalls turned on and block incoming ICMP requests
- Instill a company-wide security policy
- Perform ongoing or regular training for your staff, like preparing employees through role-playing or learning about hacker tactics
- Install reputable antivirus software on your computer
- Backup your system on a regular basis to prevent data loss and promote business continuity