Enterprises are well aware of threat attacks that pose a huge challenge to IT security, perpetrated by technical hackers who infiltrate computer systems to steal protected data. The truth is, however, that many of the most effective cyber-attacks are not directly inflicted upon hardware or software, but instead, are targeted on people.
Social Engineering: What is it?
Social engineering attacks, as these threats are widely known, are IT security attacks that exploit a vulnerability that is present in every organisation: the human element. The tactics make use of human psychology to manipulate or deceive even the most shrewd users into handing over confidential data such as login credentials, personal information, and/or financial data.
Ninety-one percent of attacks are carried out through email, while others are done through phone calls and social media. These can be directed at a broad range of individuals—from students to employees to business executives and even IT professionals.
Organisations, thus, have legitimate reasons to be wary of social engineering, as a successful attack on an employee (new hires are most vulnerable) can lead to a breach of their IT security and potentially, a full-blown cyberattack and data breach. This is because Trojans, spyware, and other similar malware need to be activated by a person, who clicks (on the deceptive link), opens, and allows the malicious program to do its job.
The Social Engineering attack cycle
Many view social engineering as a trick as old as time, but given the manner in which it is perpetrated, i.e. using open-source intelligence that is unique to the person being targeted, it’s not surprising that social engineering attacks continue to work effectively in this day and age.
While there are social engineers who simply send out emails randomly and wait for users to be tricked into giving the anticipated response, the more sophisticated social engineering attacks today follow a series of steps to ensure higher chances of success:
- Prepare the ground for an attack. Using social media, the perpetrator conducts research on the target, whether it is an individual or a company. If it’s the latter, they would need to know the structure of the organisation and identify certain employees at whom they can direct the SE technique.
- Gather information. In this step, the attacker engages the potential victim, acting as a trusted individual or licit institution, and gets the required information.
- Plan the attack. Based on the data collected from the first two stages, the attacker will activate the technological tools and computer programs that are most likely to achieve the desired objective.
- Make a clean exit. As soon as the attack is successful, social engineers need to tie up loose ends so that no trail can be traced back to them when they exit.
Beware of these Social Engineering techniques
Many forms of social engineering attacks have come and gone, but at the start of this new decade, and possibly in the next few years, the following methods continue to be useful for hackers:
- Phishing. Perhaps the most common form of social engineering, phishing utilises legitimate-sounding emails and official-looking websites to hoodwink people into clicking on malicious links, providing confidential information, or opening files that will then download malware into the system. Phishing may be one of the oldest methods in SE, but it is still difficult to stop, even in 2020, because the attacks are becoming more sophisticated, thanks to well-designed and polished off-the-shelf templates and tools.
- Scareware. Scareware, also called deception software, preys on unsuspecting users by making them believe that their device is affected by malware. Victims are inundated with false alarms and fake threats until it seems they have no choice but to download certain software that is of no actual use or is the real malware itself.
- Baiting. Baiting is a SE tactic that primarily relies on the greed or curiosity of would-be victims, luring them with the promise of a free or extremely attractive item in exchange for handing over information or downloading some software. Baiting isn’t going away anytime soon, because the wealth of in-demand, downloadable content available on the internet these days—music, movies, etc., allows hackers to offer an endless supply of tempting gifts.
- Quid Pro Quo. Similar to baiting, quid pro quo also promises enticing benefits in exchange for critical data or login information. The main difference here is that instead of goods, victims are offered valuable services such as tech support or an IT service.
- Tailgating. Tailgating is a physical form of social engineering which involves “piggybacking” (as this is also called) on an authorised person’s access to company premises and facilities. Fraudsters gain entry to a restricted area by either waiting unobtrusively and quickly following an employee when the opportunity arises or using tricks to fool an employee into letting them in as well. An example is a tailgater posing as a delivery person and asking the authorised person to “hold” the door for them.
Don’t be a victim of Social Engineering
Social engineering continues to pose a big threat to IT security, so organisations must step up their awareness campaigns and continually update employees of the means by which social engineers could attack. Running phishing simulation tests on employees, constantly reminding them of the dangers of opening emails from questionable sources, deploying secure email and web gateways, and updating antivirus software are only some of the measures that enterprises can implement to minimise social engineering attacks.