Social engineering is a tactic used by cyber criminals to manipulate individuals to gain confidential information such as Social Security numbers, credit card numbers, passwords, and more.
In the cybersecurity world, the weakest link in the security chain is the users, which is why people are the target when it comes to social engineering.
It doesn’t matter how many security measures you have in place.
You can have locks on your doors, an alarm system, the latest firewalls, and network or security monitoring tools; all it takes to hack into your network is to trick a user into clicking on a malicious link they think came from a social media site.
There are many types of social engineering attacks.
In fact, employees open more than 1 out of 4 business email compromise attacks, according to Abnormal Security.
Attackers will take whatever means necessary to gain access to a company's network and steal personal information.
Criminals will sometimes take weeks or even months to do research about companies and their employees on social media like LinkedIn, Twitter, or Facebook before coming in the door.
In your workplace, how often have you heard phrases like:
Even though the individual may not seem suspicious, this is a very common tactic used in this type of cyberattack.
On the phone, a social engineer might call and pretend to be a trusted person (law enforcement, co-worker, IT support, bank auditor, etc.) in the hopes you'll reveal sensitive data, like providing access to a bank account.
There are many types.
Below, we've listed the most common.
Often, attacks are accompanied by a sense of urgency, meaning the would-be victim needs to act quickly so they don't have time to think critically about their actions.
This is the most common of the many social engineering techniques.
Phishing is a technique used to convince people to open emails or attachments infected with malware.
Criminals will usually start phishing campaigns by creating a malicious website that looks familiar to the user, like Outlook, Amazon, or a social networking site.
They will then send a crafted email to the company without targeting a specific user.
Clicking on any link in these emails will take users to a login page asking them to provide their login information.
This eventually will lead to requesting credit card information or any potentially sensitive information.
For precaution, never open links or attachments that are from unknown sources.
It is best to report it when in doubt.
This helps reduce the risk of getting compromised and increases the level of awareness of phishing attacks.
This form of social engineering works when attackers pretend to be someone else to successfully obtain sensitive information.
Pretexting can be used to create a whole new identity, and then use that identity to manipulate users.
For instance, a criminal may initiate a phone call and claim he's from the HR department, and ask you a few questions.
When the criminal has the information he wants, he will sell it to people who may use it to steal your company’s assets or even sue you.
Smishing is a combination of SMS and phishing—it uses text messages instead of email.
This type of attack exploits human trust and occurs when a would-be cybercriminal sends a text message to lure victims into immediate action.
This usually starts with a criminal striking up a friendly conversation to talk their way into accessing a restricted area of your business.
This could be as simple as an employee opening a door and holding it open for another person to enter, without any proof that the person they let in had the authorization to enter.
Baiting is simply offering users something free.
An attacker might offer you free movie or music downloads.
These, of course, contain malicious programs.
In another instance, an attacker would leave infected USB drives at a public place hoping someone would pick them up and use them on their devices.
Social engineering should be a concern for organizations of any size big or small.
Therefore, prevention and education play a key role in avoiding incidents.
Integrity can assist and support your organization with a customized security bundle that addresses these common threats.
The goals are to:
Integrity's Information Security Advisor and dedicated Security Services Team are ready to assist you with:
Contact us for more information.