Blog
Arrow back
SHARE THIS ARTICLE
Blog

What is social engineering?

21 September, 2023

When most people think of cyber threats, they picture complex coding and hackers exploiting software vulnerabilities.


However, one massive threat is often overlooked and misunderstood - social engineering.


But, what exactly is a social engineering attack?


Picture a scenario where hackers don't rely on cracking complex codes.


Instead, they employ a different strategy: charm and familiarity. They convince users to hand over sensitive information willingly.


It's a clever but simple tactic that can severely impact a company.


To shed light on this underestimated cyber threat, we will uncover further insights into how this attack occurs and how to prevent it from affecting your company.


Let’s get into it!


What is a social engineering attack?


Social engineering is like hacking the human mind.


Instead of targeting software or hardware, attackers manipulate human emotions, trust, and vulnerability to achieve their goals.


They exploit human traits such as curiosity, obedience, and the willingness to assist others. By posing as trusted contacts, they can extract sensitive information without the user realising they're compromising the company's security.


Methods of social engineering


Phishing


One of the most widespread social engineering techniques is phishing. Attackers send deceptive emails or messages that appear to come from trusted sources, aiming to persuade victims into revealing sensitive information like passwords or financial details.


For example, a user might receive an email that appears genuine from their bank, asking them to verify their account information by clicking a link.


Pretexting


In pretexting, the attacker constructs a fictional scenario to gain personal information. They may impersonate a co-worker to gain trust.


For instance, a pretexting scammer might pose as an employee and request the payroll department to update their banking details, claiming it's necessary to receive their salary.


Baiting


Baiting involves tempting victims with enticing offers or items, such as free software downloads or free vouchers.


These tempting rewards come with a catch – malware or malicious software. Once downloaded, it can compromise the system's security.


Tailgating


Also known as piggybacking, this technique involves gaining physical access by following an authorised person into a secure building or area.


This attack can be as simple as exploiting a person's natural inclination to be courteous by holding a door open. This can allow an attacker to enter an area, steal information, or insert malicious media into a computer.


Vishing (voice phishing)


Vishing employs phone calls to trick individuals into disclosing sensitive information, like debit card numbers or login credentials.


Attackers frequently impersonate trusted entities such as banks or government agencies. Victims might feel pressured to share information due to fear or a sense of urgency.


How social engineers gain access to sensitive data


  1. Social media
    Social engineers closely study their targets' social media profiles, gathering personal information that can aid in password guessing. This also assists them in creating a deceptive persona that appears trustworthy, leveraging this familiarity to manipulate victims.
  2. Building rapport
    Hackers may engage in seemingly harmless conversations over an extended period, gradually building trust and rapport with their targets. This can make the victim more likely to share sensitive information.
  3. Targeting the weakest link
    Social engineers frequently concentrate on individuals seen as the most vulnerable, such as new employees or those with limited cybersecurity knowledge.

Real-life case: Caesars Entertainment


To truly understand the severity of social engineering attacks, let's look at a real-world example involving one of the giants in the hospitality and casino industry - Caesars Entertainment.


Caesars Entertainment fell victim to a social engineering attack in September 2023.


Hackers managed to compromise the personal data of a significant number of loyalty programme customers. This breach stemmed from a social engineering tactic that exploited an IT support contractor.


The attackers, although unidentified, are believed to be part of a relatively inexperienced and young hacking group suspected to have bases in the UK and USA.


Rachel Tobac, CEO of SocialProof Security, an expert in social engineering prevention, highlighted a concerning trend: many organisations predominantly focus on defending against email-based threats, leaving them ill-prepared to counteract phone-based attackers effectively.


This highlights the pressing need for heightened awareness revolving around social engineering attacks.


How to prevent social engineering attacks


Prioritise employee awareness


Your employees are the first defence against social engineering attacks. Educate them about the various methods social engineers employ - stressing the importance of vigilance and scepticism.


Create a culture of cybersecurity awareness where employees actively identify and report suspicious activity.


Verify calls and emails


Train your employees to verify the authenticity of calls and emails, especially those requesting sensitive information or urgent actions.


Encourage them to rely on trusted contact information from official company sources, rather than solely trusting information provided in the communication.


Implement two-factor authentication (2FA)


Utilise 2FA wherever possible to add an additional layer of security. This can safeguard sensitive accounts and systems, even if login credentials are breached.


Conduct regular training


Schedule regular training sessions and simulations to evaluate your employees' ability to recognise and respond to social engineering attempts.


These exercises help strengthen cybersecurity awareness and readiness.


Establish reporting protocols


Create clear and user-friendly protocols for reporting suspicious activities or potential security breaches.


Ensure that employees are well-informed about how and where to report such incidents, with the assurance that their concerns will be taken seriously.


Secure physical access


Implement physical security measures to prevent unauthorised access to sensitive areas within your organisation. This includes the use of access controls, keycards, and CCTV.


Stay informed


Stay up-to-date with the latest social engineering tactics and trends. Being aware of evolving methods is essential for staying protected against these attacks.


How Bob’s Business can help


At Bob’s Business, we understand the importance of raising employee awareness through ongoing training.


We offer tailored courses to enhance your company's security, covering everything from employee training on social engineering attacks to simulated phishing exercises.


With our expertise, you can empower your team to defend against these threats, strengthening your cybersecurity.



Back to resources

Ready to build your cybersecurity culture?

Whether you’re looking for complete culture change, phishing simulations or compliance training, we have solutions that are tailor-made to fit for your organisation.

Girl with laptop
Boy with laptop
man and woman with laptops
ISO27001
ISO9001
Global Cyber Alliance