Social Engineering Explained: Part One – What is Social Engineering?
Defining Social Engineering
Social engineering is the act of manipulation or influence that lures a potential victim into revealing confidential information such as a social security number, account information, credit card details or building access codes. Social engineering is a type of cyber-attack that works to get the better of people through deception and trickery rather than technological methods. These specific attacks take advantage of human vulnerabilities such as emotion, trust or habit to persuade individuals to take action such as clicking a malicious link or visiting a fake website. Social engineering can have extreme consequences and can potentially be the cybercriminal’s foot in the door for an attack.
How Social Engineering Works
In contrast to viruses that rely on hacking techniques or malicious code to gain access, social engineering depends on human psychology. If an attacker is successful in manipulating their victim, they can gain access to data, systems and even buildings. For example, instead of spending months working on a new malware strain, cybercriminals will focus their efforts on deceiving employees to reveal their password over the phone by posing as an IT support specialist. If they say the right things to the right person, they could be on the network in an instant.
Your network security and staff are only as strong as their weakest link. Cybercriminals use many different psychological techniques to help them find this weakest link.
Common Attack Techniques
Phishing Attacks – Phishing is a technique in which a target is contacted by a form of communication (email, phone, text message, etc.) posing as a legit organization or company to lure the victim into revealing sensitive data. The most common form of phishing is done by email. A cybercriminal will send emails to a broad audience that either spoof a legitimate email address or contain what looks like authentic company information to manipulate individuals to reveal passwords and other personal data.
Spear Phishing – While phishing techniques target a large number of recipients, spear phishing focuses on a specific organization or individual. For example, attackers may spoof the CEO’s email address and send an email to a member of the finance team authorizing a payment to be made. Just take Barbara Corcoran for example. She recently lost $388,700 after her bookkeeper revealed account information in response to an email she received with an invoice and charge approval that appeared to be from Barbara’s assistant.
Pretexting – Pretexting is possibly one of the most common forms of social engineering right now. This technique attempts to extract sensitive information by building trust over time. The attacker will create a believable, but a completely fabricated, pretext to lay some groundwork and break down a victim’s defenses over time.
For example, they call a target and pretend to require certain information to activate a new system account or verify their identity. The more sophisticated versions will build up a relationship over days or weeks, and they may take on the identity of an actual employee in their victim’s IT department.
This kind of tactic is used to gain the victim’s trust and increase the likelihood that they will disclose requested information without hesitation.
Tailgating – Exactly as the name suggests, tailgating involves the passage of an unauthorized user, either accidental or forced, behind an authorized user into a building or secure area. This is one of the most widespread security threats affecting organizations today.
We’re human and we make mistakes (they don’t call it human error for nothing.) That’s why cybersecurity awareness in your organization is crucial. It’s important and necessary to know how to spot social engineering attempts so that your organization remains safe and secure. Stayed tuned for part two of this social engineering series where we will go over how to protect yourself from social engineering attempts.