If you think your staff and senior management team are that not that gullible, think again. Social engineering is a sophisticated security threat that even the most security conscious have been tricked by.
What Is Social Engineering?
Social engineering starts with engagement between the attacker and the ‘victim’ via social media, email, or mobile apps. The aim is to get the target to carry out an action that allows the attackers to infect IT systems, steal data or transfer money.
While automated security attacks are a blanket approach to breaching an organisation’s defences, social engineering can be much more targeted; targeted at specific businesses and at specific assets, and often targeted at specific employees, too.
Bruce Penson, Managing Director, Pro Drive IT explains some of the more popular methods used in social engineering campaigns, giving an identification of what they may look like and their outcome if successfully triggered:
Baiting: Baiting can be a very targeted attack where the attacker leaves a physical device, such as a USB flash drive infected with malware in a prominent place. This could be at a conference, unbeknownst to the organisers, and could be branded so it can be passed off as official conference material. Once loaded onto a computer by a delegate or other user, malware is installed and activated. Similarly, mobile apps are used in this way with attackers creating cheap or free apps that when downloaded infect mobiles (and the systems they access) with malware.
Phishing: This is an email attack that purports to be a legitimate communication, often from a trusted source. The aim of the attack is to get the recipient to either click on a malware infected attachment or link, or to get the recipient to divulge personal or financial information.
Pretexting: Pretexting involves having a false motive, in other words lying. Perhaps the most common technique is to request personal or financial information in order to confirm the identity of the victim. Potentially this request will come after a number of other communications that are designed to build trust with the recipient before persuading them to part with this information. In other cases the attacker may pretend to be a colleague who needs the information quickly, or a higher-authority; relying on the victim not to question their superiors and provide the information.
Scareware: Another form of social engineering is to convince the victim that they’re at risk and offer a solution to put it right. For example, making the recipient think they’ve downloaded malware or illegal content, and offering a fix. The solution is the actual malware and the tactic preys on our concerns about security, and in many cases our employees’ anxiety about telling someone that they have infected the system.
Spear phishing: Just like phishing but with another layer of sophistication, spear phishing targets specific employees within an organisation. In some cases the attacker may have an employee’s actual name, in others they may target people based on their role within the company.
What Can You Do To Protect Your Organisation?
Security awareness training is one of the most effective ways to prevent social engineering attacks. If your employees know what to look out for, are vigilant, and question all approaches for information that are uncharacteristic or deviant from security and data protection protocols, they are less likely to become an ‘enabler’.
A very effective way to help employees, and senior members of staff, to understand how social engineering campaigns works is to get your IT provider to run penetration tests using these techniques. This will highlight vulnerabilities and identify employees and other users that are at most risk of being on the receiving end of this type of security attack.