The Social Engineering Techniques To Look Out For
Social engineering is one of the most dangerous and insidious forms of a cyberattack. Always changing and frequently bypassing even sophisticated security solutions, social engineering can seem impossible to defend against. Yet there are ways to avoid the effects of social engineering, primarily by training employees to look for specific social engineering techniques. Better social engineering awareness can reduce your organization’s risk overall, though it’ll be constant work to update and refresh your training.
What is Social Engineering?
Social engineering is a special type of malicious attack, which uses human interaction to obtain information about an organization or its computer systems. Social engineering can range from sending an email that looks like a bank alert to walking straight into a company and asking to see their computers. Social engineering is a major vulnerability for end users and businesses, as it can be very difficult to protect against. With social engineering, your own employees become your most significant threat.
Phishing attempts alone account for 70% to 89% of successful data breaches, as phishing attempts can be sent out in large quantities to potentially vulnerable targets with little personal investment. It can be easy for a careless employee to fall for a phishing attempt, and even the savviest of employees could occasionally make a mistake and click the wrong link.
What Are Some Common Social Engineering Techniques?
There are many types of social engineering. Unsolicited phone calls (vishing), text messages (smishing), and email messages (phishing) are all different types of social engineering. In-person visits can even be a type of social engineering.
Here are some of the most common social engineering scams:
- Phishing attacks. Phishing attacks use email to try to collect confidential information. Through phishing attempts, cybercriminals have been able to steal a tremendous amount of information. During tax season, quite commonly they steal W2s, which can include a lot of personally identifiable information which can then be used for the purposes of identity theft.
- Pretexting attacks. These are general attacks that involve creating some form of “pretext“ to get information. For instance, a social engineer may call an employee and say that they need information for their W2. Pretexting attacks are becoming easier through social media, because social media makes it possible to look up a company’s internal hierarchy and departments.
- Tailgating attacks. An in-person attack- a tailgating attack occurs when a malicious attacker follows someone into an area in which they aren’t supposed to have access to. During a tailgating attack, a social engineer may sneak into a secured area to find information. A computer that’s still logged in, for instance, could give them all the information they need.
- Quid pro quo attacks. This type of attack involves an individual offering something, like a service, in exchange for information. As an example, a malicious attacker may offer IT assistance in exchange for someone’s password, and the individual being targeted will not question it because they are being offered a service. A quid pro quo attack tends to be very effective for this reason: no one expects an attacker to actually offer something.
- Baiting attacks. Baiting attacks are similar to phishing attempts, except they offer the employee something that will attract them. An abandoned USB could contain malware that will launch once it’s plugged in.
Of course, there are new social engineering techniques discovered every day. As long as a malicious attacker can communicate with an employee, they can attempt to convince them to compromise information.
Defending Against Social Engineering
Social engineering is hard to detect because it’s based on communication. While phishing attempts can sometimes be blocked (because they will often link directly to blacklisted websites), many aren’t. In order to protect against social engineering attempts, employees must be trained to:
- Avoid providing any personal information or information about your organization, no matter how simple it seems. A malicious attacker may ask questions about network architecture or organizational structure, which they then use to get additional information from someone else.
- Never provide personal information or financial information via email and do not respond to email solicitations for the information.
- Never follow sensitive links sent in an email or social media posts as these can all be ways cybercriminals will try to steal your information.
- If you are contacted for information, whether via email or via phone, you should contact the entity requesting it directly rather than responding back.
Social engineering attempts are naturally difficult to protect against. Yet with the right training and awareness, you should be able to reduce the risk to your employees and the business. You can train your employees to identify the latest phishing threats with the help of KnowBe4.