You don’t always have to be good at manipulating code to hack into secure systems. Being good at manipulating people can deliver the same results.
This is known as social engineering – the process of influencing people or tricking them into divulging confidential information.
Social engineering is certainly the most successful tactic employed, used in 98% of cyber attacks.
While cyber security technologies continue to innovate, there remains a weak link in the cyber security chain: HUMAN BEHAVIOUR.
Of course, some do it more successfully than others. Emails from people claiming to be the widow/orphan of a Nigerian millionaire whose cash can only be accessed overseas are much easier to ignore than emails from your boss asking you to take urgent action.
What Are the Common Types of Social Engineering?
Phishing Emails
Phishing is the most common method of social engineering. The victim receives an email asking them to visit a website, open an attachment, or reset their password. Confidential data is then stolen and used to access the victim’s account, or malware is downloaded to their machine, giving the attacker free rein to carry out ransomware attacks or other malicious actions.
Spear Phishing Emails
Spear phishing emails use the same techniques as phishing emails, but in a more sophisticated, more targeted way. Attackers impersonate individuals or entities that are known to the victim. With the extent of information available on social media, it is easy enough for attackers to pinpoint likely things that will get the victim to take action.
For example...
If you post on Facebook about running a 5k in aid of Cancer Research, your attacker will know that posing as a cancer charity might get a reaction from you.
For this reason, spear phishing attacks are often highly effective and well worth hacking into.
Whaling Attack
Whaling attacks take spear phishing to another level. They target C-suite executives with highly personalised emails, attempting to gain access to sensitive information or persuade the victim to make money transfers. One example is an attacker impersonating the CEO and convincing other members of staff to make a wire transfer.
Tailgating
Tailgating, or piggybacking, is following a legitimate entrant into a secure place. For example, they could ask you to hold the door open to enter without a security pass. Once inside, they have direct access to your security systems.
Baiting
Baiting is the act of reeling in a victim with something enticing. It could be an emailed file containing something interesting, like employees’ pay records or a link to download free music or films. Another example is people picking up USBs that are purposefully left to be found, infecting the careless users’ computers and spreading infection throughout the network.
Pretexting
Attackers devise a convincing pretext for requesting secure information, such as establishing authority by impersonating someone known to the victim. Again, this is relatively easy to do with the information available on social media.
Target: EVERYONE
No one is immune to social engineering attacks. What we have in common—our humanity—makes us all vulnerable and a target.
Most people have a default position of trust, which, when combined with the level of detail attackers can glean from our online presence, gives cyber criminals the power they need to pull off these attacks.
Often, a sense of urgency is attached to these scams that can disorient victims. They will respond as requested and only afterwards consider whether they have been scammed.
The Best Defence? Security Awareness Training
The best protection against these cyber crimes is training and education.
Training employees to think before they click, understand the risks and potential consequences and spot phishing emails will help prevent these attacks from being successful.
Instigating policies regarding financial transfers, for example, such as getting multiple sign-offs and requiring in-person confirmation rather than just receiving instructions by email will also help avoid these risks.
As our digital world grows, the world grows at a greater rate. With so much personal and sensitive information online, all the ingredients are ready for cyber criminals to carry out successful attacks.
Related Articles:
- 6 Steps to a Successful Cyber Security Improvement Programme
- Types of Penetration Test: What’s the Difference?
- Cyber Essentials vs Cyber Essentials PLUS: What’s the Difference?
- INFOGRAPHIC: SOC Team Roles and Responsibilities
- INFOGRAPHIC: Malware examples: What Are The Different Types?