No matter how much you spend on complex cyber security software, there will always be one key weakness in your defence - people.
Cybercriminals utilise dozens of techniques to get access to you and your organisation’s information, many of which fall under the banner of ‘social engineering’.
But what is social engineering, how do social engineering attacks work and what are the types of social engineering? Join us as we present our essential guide.
Social engineering is a term that covers a wide variety of attacks that leverage human vulnerability in order to gain access to sensitive information.
With the risk of being targeted by social engineers growing greater by the day, it’s important that each of us fully understand the different types of social engineering attacks and how best to avoid them.
Whether we like to admit it or not, we’re all creatures of habit.
Modern life is an almost constant blur of mundane tasks and activities. Naturally, we all want to find the easiest and fastest way to get those tasks done.
Unfortunately, that often means that we’re lax about security.
Simple things, like using the same password across multiple accounts and giving an unknown service access to your accounts without questioning them, can make your life easier, but it leaves the door wide open to social engineers.
Social engineers find the gaps in our security habits and utilise emotional manipulation techniques to access our sensitive information.
Social engineering attacks come in all sorts of shapes and sizes, but the three most common ones to watch out for are:
Pretexting (Blagging Computing)
Pretexting, or Blagging Computing, involves fabricating a situation that requires the victim to provide details or take actions that they wouldn’t normally do.
This usually involves a scammer convincing a victim that they need certain details for identity verification, or a fraudster pretending to be a member of their internal team to gather private company information.
This involves offering something to an individual that seems non-suspicious but is in fact malicious.
This can come in both digital and non-digital format as either a file download, or an infected USB drive that has been planted with the hopes of a target plugging it into their machine.
Quid Pro Quo
Quid Pro Quo, or ‘something for something’, is an attack that relies on the (false) promise of a benefit in exchange for details.
For example, a scammer might contact victims, pretending to be IT support, and offer assistance. The scammer could then say that the victim needs to perform certain tasks (such as disabling their antivirus) to allow them to ‘help’, whilst actually causing the victim to unknowingly download malware.
They can either contact victims at home, or via the preferred method of contacting direct numbers for an organisation, pretending to work for the organisation being targeted.
The aim of tailgating (also known as piggybacking) is to gain access to an unauthorised area. Typically, this is achieved by an unauthorised person following closely behind an authorised individual and getting the authorised individual to give them access.
This might include following someone into a lift that requires a security key, often with some excuse like holding a large delivery, or simply having forgotten their key.
What social engineers rely on is people’s natural instinct to be helpful, so the next time you open the door to someone who you don’t recognise, don’t be afraid to question them.
Shoulder surfing is another physical form of social engineering that criminals use to gather information. When people work on the go, they lull themselves into a false sense of security and don’t realise that they could be being watched.
Criminals will look to identify people who work on the go either on their laptop or phone, follow them to a place that they might like to work, like a coffee shop, and get into a position where they can see what’s on the screen.
Shoulder surfing enables social engineers to see what services you use, who your contacts are, and most importantly what your passwords are. After making a note of these, the shoulder surfer can then try to access your systems remotely, or even impersonate you to gain access to confidential information.
While social engineering may seem simple, it represents a significant cyber security threat to organisations. While companies continue to invest in technological solutions to stay secure, they don’t fix the vulnerabilities that social engineers look to exploit - people’s behaviour, habits and emotions.
If a user is tricked into revealing details that can help an attacker through your defences, or tricked into allowing someone unauthorised access, then all the technology in the world may not be able to help you!
Phishing is the act of sending messages, most often by email, to a victim with the intention of getting them to give up login credentials and passwords. This is by far the most common tactic of social engineers.
The majority of phishing emails are easy to spot and poorly put together. However, because they’re sent to hundreds (if not thousands) of individuals, some phishing emails succeed in harvesting information.
Most phishing scams utilise fear or urgency to convince victims to comply without taking the time to think about it.
A more advanced form of phishing is called spear phishing. This is when a social engineer goes the extra mile to tailor the email to their target after carrying out extensive research on, or data-mining, their target. This results in more effective phishing attempts, which are harder to spot.
Defence against social engineers largely depends on awareness, and making sure that you and your workforce know what to be wary of.
Even the very best security technology can be overcome by a clever social engineer, which is why security awareness training is so essential.
Teaching your staff about the dangers of social engineering with engaging, jargon-free training is the most effective way of protecting your organisation.
To help you safeguard against some of these attacks, your staff should learn to: