Social engineering is the art of manipulating, influencing, or deceiving you in order to gain control over your computer system. The hacker might use the phone, email, snail mail or direct contact to gain illegal access.
Phishing, spear phishing, and CEO Fraud are all examples.
What is a social engineer?
OK, so who are these people? It could be a hacker in the USA who is out to do damage or disrupt. It could be a member of an Eastern Europe cybercrime mafia that is trying to penetrate your network and steal cash from your online bank account. Or, it could be a Chinese hacker that is trying to get in your organisation’s network for corporate espionage.
Top 10 techniques used by social engineers
Understanding the different attack vectors for this type of crime is key when it comes to prevention. This is how the bad guys do it:
- Pretexting – An invented scenario is used to engage a potential victim to try and increase the chance that the victim will bite. It’s a false motive usually involving some real knowledge of the victim (e.g. date of birth, Social Security number, etc.) in an attempt to get even more information.
- Diversion theft – A ‘con’ exercised by professional thieves, usually targeted at a transport or courier company. The objective is to trick the company into making the delivery somewhere other than the intended location.
- Phishing – The process of attempting to acquire sensitive information such as usernames, passwords, and credit card details by masquerading as a trustworthy entity using bulk email which tries to evade spam filters. Emails claiming to be from popular social web sites, banks, auction sites, or IT administrators are commonly used to lure the unsuspecting public. It’s a form of criminally fraudulent social engineering. Also see Spear Phishing.
- Spear phishing – A small, focused, targeted attack via email on a particular person or organisation with the goal to penetrate their defenses. The spear phishing attack is done after research on the target and has a specific personalised component designed to make the target do something against their own interest.
- Water-holing – This technique takes advantage of websites people regularly visit and trust. The attacker will gather information about a targeted group of individuals to find out what those websites are, then test those websites for vulnerabilities. Over time, one or more members of the targeted group will get infected and the attacker can gain access to the secure system.
- Baiting – Baiting means dangling something in front of a victim so that they take action. It can be through a peer-to-peer or social networking site in the form of a (porn) movie download or it can be a USB drive labelled “Q1 Layoff Plan” left out in a public place for the victim to find. Once the device is used or malicious file is downloaded, the victim’s computer is infected allowing the criminal to take over the network.
- Quid pro quo – Latin for ‘something for something’, in this case it’s a benefit to the victim in exchange for information. A good example is hackers pretending to be IT support. They will call everyone they can find at a company to say they have a quick fix and “you just need to disable your AV”. Anyone that falls for it gets malware like ransomware installed on their machine.
- Tailgating – A method used by social engineers to gain access to a building or other protected area. A tailgater waits for an authorised user to open and pass through a secure entry and then follows right behind.
- Honeytrap – A trick that makes men interact with a fictitious attractive female online. From old spy tactics where a real female was used.
- Rogue – Also, Rogue Scanner, rogue anti-spyware, rogue anti-malware or scareware, rogue security software is a form of computer malware that deceives or misleads users into paying for the fake or simulated removal of malware. Rogue security software, in recent years, has become a growing and serious security threat in desktop computing. It is a very popular and there are literally dozens of these programs.
You may have heard of Norton antivirus, published by Symantec. The technical director of Symantec Security Response said that bad guys are generally not trying to exploit technical vulnerabilities in Windows. They are going after you instead.
“You don’t need as many technical skills to find one person who might be willing, in a moment of weakness, to open up an attachment that contains malicious content.”
Only about 3% of the malware they run into tries to exploit a technical flaw. The other 97% is trying to trick a user through some type of social engineering scheme. This means it does not matter if your workstation is a PC or a Mac. The last line of defence is… you guessed it: YOU!
How can you prevent attacks?
We’ve pulled together some resources to help you defend against social engineering attacks. A good place to start is ensure you have all levels of defense in depth in place. Keep reading below to find out how you can make yourself a hard target, get additional content for yourself and your users and stay up to date with social engineering in the news via our blog.
Social engineering attacks, including ransomware, business email compromise (BEC) and phishing, are problems that can never be solved, but rather only managed with a focus on security awareness training.
- Start with a baseline phishing security test to assess your organisation’s baseline Phish-prone™ percentage
- Step users through interactive, new-school security awareness training
- Run frequent simulated social engineering tests to keep users on their toes with security top of mind
Did you know that 77% of successful social engineering attacks started with a phishing email?
Find out what percentage of your employees are Phish-prone™ with your free Phishing Security Test. Plus, give them point-of-failure training using our Social Engineering Indicators feature. Go Phishing Now!
Social engineering tip sheet
The below infographic will show your users what to watch out for in emails. We highly recommend you print it out, it’s a great at a glance reminder.
Download the Security Awareness Training datasheet to discover more!