What is social engineering?

In our ever-evolving digital landscape, educating and training your employees to recognise and identify cyber threats has never been more vital. In a recent report from Positive Technologies, it was revealed that 2020 has seen a 22.5% rise in cyber-attacks when compared to the previous year, with a staggering 67% of these attacks occurring from what’s called, social engineering. This is hardly surprising when it was also revealed by Cyber Talk that companies now have 70% of their workforce operating remotely. With a likelihood for social guards to be down in a home environment this only increases risk.

Social engineering is a term used to refer to an attack strategy used by hackers. The attack relies primarily on human interaction and manipulation, eventually causing them to break standard security practises or reveal sensitive information.

Social engineering relies on the exploitation and deception of individuals rather than trying to find technical vulnerabilities within a network – if your workforce is not sufficiently trained, it’s the easiest way for cybercriminals to gain access to your organisation.

Threat actors will often disguise themselves as a trusted entity or information source in order to gain the trust of an individual (like payroll or a supplier) – As a result the victim is more willing to reveal confidential information, click on a malicious link, or grant access to an account.

In the majority of social engineering attacks, fraudsters will begin by investigating the chosen target and further gather background information. This potential victim could be an individual or an entire enterprise – if it is the latter, the perpetrator might begin by researching the employee structure, internal processes, potential weaknesses or any other relevant information needed to proceed with the attack.

Often, a common tactic of hackers is to examine the social media accounts of employees to study their behavior and subsequently design a personalised and targeted attack. Once this information is gathered, any potential weaknesses are ready to be exploited.

There are various different types of social engineering attacks, the most notorious undoubtedly being phishing campaigns. If you want more information on how to spot this common form of attack, have a look at our annotation of a real scam email received and spotted by one of our staff here.

Whilst phishing is the most popular form of social engineering attack, occurring when a hacker makes fraudulent contact with the victim via email or texts, there are multiple other types of social engineering methods you might not have heard as much about…

Spear Phishing

Spear phishing is (not surprisingly) an advanced form of phishing attack. Whilst phishing campaigns are often formed through identical scam emails send to thousands of individuals in the hope that one lands, spear phishing is much more targeted. A spear phishing attack is specific to the victim, using personal information to gain trust and appear valid. Unsurprisingly, the personal nature of this tactic means it tends to have a much higher success rate in deceiving the victims as opposed to regular phishing emails.

Baiting

Baiting is when a cyber-criminal leaves a malware-infected device (or ‘bait’) somewhere that is likely to be found. This device would typically be a USB flash drive or CD, often marked with company information for added authenticity. The success of this method is based on the expectation that whoever finds the bait will load it into their computer out of curiosity (particularly if it is marked with something enticing that plays on the prying nature of humans), and subsequently install the malware.

Pretexting

In this tactic, the attacker obtains confidential information by lying to the victim and creating false circumstances in which to gain the access or data. An example of this could be the perpetrator impersonating co-workers, or official authorities and pretending to need personal information in order to confirm the victim’s identity.

Through pretexting, the scammer can gather information such as login credentials, financial details, access to networks and more. This is particularly effective as it often uses fear and intimidation on the victim if the scammer is impersonating an authoritative figure.

Tailgating

Tailgating is a physical social engineering method, whereby an unauthorised individual gains entry into a secure location by following behind an authorised user. This could happen by asking somebody to hold a door open for them, or even to borrow their phone to call a friend, whilst unknowingly installing malware or steal information. This technique is also sometimes known as piggybacking and targets trusting individuals.

Quid pro quo

This attack method occurs when a cybercriminal requests sensitive information from the victim in exchange for a service or some sort of compensation. An example of this could be requesting personal credentials in order to receive a free gift, or pretending to assist with IT support. This method can be particularly effective around holidays – playing on those happy to hear about Christmas offers and discounts!

Scareware

This technique involves victims receiving false alarms and threats to scare the user into purchasing or installing fake antivirus protection – this would then install the attacker’s malware. Common forms of scareware include pop-up banners in your browser but can also be circulated through emails.

The list of social engineering tactics is extensive but through awareness and education, it’s easy to spot the most common methods when used.

Education

In order for a business to be truly prepared for social engineering attacks, prevention through education is key. Here at Stripe OLT, we can help turn your workforce into the first line of security defence with our cyber security education courses.

Our GCHQ certified trainers provide Staff Cyber Awareness (SCA) and Executive Cyber Fundamentals (ECF), covering specific areas of business risk and how to mitigate these appropriately. Our ECF course has a specific section focused on social engineering. If your employees are aware of the various forms of social engineering, they are less likely to fall victim!

Penetration Testing

This type of assessment provides an in-depth understanding of your cyber-security posture, whilst also being able to identify which employees may require further training. Security experts universally advise regular penetration testing in order to identify and prioritise all risks to your organisation, including social engineering.

Antivirus and anti-malware software

Having solid, reliable and up-to-date antivirus and anti-malware protection will prevent scams reaching the user’s mailboxes – reducing the likelihood of an employee clicking a malicious link in the first place! Automatic updates are a dependable way to ensure you stay up to date with the latest software.

Multi-Factor Authentication

Ensuring your workforce utilise multi-factor authentication can assist in protecting your account if the system gets compromised. For example, a combination of passwords, used alongside biometrics, is one way to help avoid social engineering attacks.

Robust technology is undoubtedly necessary for cyber security protection, but ultimately it is the combination of the right technology underpinned with an educated workforce that will protect your business from internal and external attacks.

If you would like more information on how our highly accredited SecOps team can test and protect your organisation, get in touch here.