What is Social Engineering?
Social engineering is the term used for a broad range of malicious activities accomplished through human interactions between an unsuspecting victim and a would-be hacker. It typically uses psychological manipulation to trick users into making security mistakes or giving away sensitive information, instead of more traditional hacking methods.
Social engineering attacks happen in one or more steps. A perpetrator first investigates the intended victim to gather necessary background information, such as potential points of entry and weak security protocols needed to proceed with the attack. Then, the attacker moves to gain the victim’s trust and provide stimuli for subsequent actions that break security practices, such as revealing sensitive information or granting access to critical resources.
This may all sound very dramatic, but to the victim the entire process can appear either mundane or an emergency. This means it will either be mostly ignored or cause you to react quickly and without thinking. When you’re panicked you’re at your most vulnerable, and your emotional state can be used against you.What makes social engineering especially dangerous is that it relies on human error, rather than vulnerabilities in software and operating systems. Mistakes made by legitimate users are much less predictable, making them harder to identify and remove, than a malware-based intrusion. This is why you should focus on more employee-centered education and training. Firstly, let’s identify the different kinds of social engineering “games” that hackers play.
8 Common Social Engineering Tactics
- Phishing: tactics include deceptive emails, websites, and text messages to steal information.
- Spear Phishing: A clever name, but a more costly and effective version of regular phishing. A personally crafted email is used to carry out targeted attacks against individuals or businesses.
- Pretexting: is a technique that uses false identification to con victims into giving up their personal information.
- Tailgating (also called “Piggybacking”) relies on individual trust to give the criminal substantial access to a secure building or area. This is one of the more insidious techniques listed here.
- Malware: employees can be misled into believing that malware is installed on their computer and that if they pay money to the person holding them hostage, the malware will be removed.
- Baiting: an online and physical social engineering attack that promises the victim a reward if they give out their personal information. Things like raffles or prizes.
- Vishing: frantic or urgent phone calls that attempt to convince the victim that they need to act quickly to protect themselves or a loved one from arrest or imprisonment.
- Water-Holing: an advanced social engineering assault that infects both the website and its visitors with malware.
These methods are utilized on a daily basis by hackers attempting to break into organizations across the globe. This realization has led CNI to offer planned and approved social engineering attack projects for our clients as a service.
Social engineering is more common than you might think.
In fact, if you aren’t familiar with the term you’ve still probably encountered it. Grandparents calling you, saying they’ve received a call that claims you’re under arrest and need bail money. Social engineering is a common criminal tactic used to gain information, money, and power over people and companies. It’s important to have a good understanding of it so that you’ll be able to combat it effectively. Businesses are just as vulnerable as individuals, as companies are comprised of individuals. A high-ranking employee could get a call from what they think is a vendor and accidentally give away the password to an account, exposing your financial information, or something much worse.
“In April of 2013, the Associated Press’ (AP) Twitter account posted a tweet stating, “Breaking: Two Explosions in the White House and Barack Obama is injured” to it’s more than 2 million followers.
In the 3 minutes that the tweet was public and the account compromised, the DOW had plummeted 150 points, equivalent to $136 billion in equity market value.
The Associated Press received an email that appeared to be from others within the company. In fact, the email was from the Syrian Electronic Army. The email included a link that led to a page requesting the login details for the AP Twitter account. That the name in the ‘From’ field of the email didn’t match the name in the signature line was the only clue that the email was fake.
Once the attackers had the login details, the Syrian Electronic Army posted a single tweet, sending the financial market into chaos.”
“When Nancy Butler got a call from someone claiming to be from her information technology service two years ago, she assumed it was a routine checkup by a legitimate staffer. So, as she had done many times during such calls, Butler asked the caller to confirm her account number and other information so ‘I could be sure they were who they said they were.’
‘After everything was confirmed I let them into the computer only to find that they immediately locked me out of my computer, accessed and stole from a bank account, credit card and several online accounts,’ says Butler, a business coach and motivational speaker based in Waterford, Connecticut. The thieves also demanded payment before they’d let her back into her computer — she didn’t pay, and she found an information technology company that could unlock it.”
SourceKeep your head, try and keep your emotions out of the process before entering any information into a website or caller. If it’s a caller that you aren’t expecting, hang up and call back using the number on an official website. Click around to make sure websites aren’t fake, and don’t give out your password to random emails, even if they seem legitimate. The main idea is that attacks are designed to not be noticed, so you’ll need to be hyper-vigilant to avoid them. If you aren’t expecting a call, don’t pick up. Caller IDs can be faked, and it’s important to note that most companies won’t call you out of the blue.
Here are some simple steps you can take to boost your defenses immediately.
- Invite users into the cybersecurity educational program with friendly messaging – the absence of IT jargon and the “arrogance of expertise.”
- Appeal to both personal and work-related cybersecurity needs. Helping users better secure their personal information assets will strengthen trust.
- Stop “shaming and blaming” users for mistakes – instead, recognize and reward all efforts by users to engage with IT around security issues.
- Share frequent communications with your employees that blends serious and humorous information on good practices, effective behaviors, and emerging threats. Offering games and prizes are great ways to keep folks thinking about cybersecurity.
- Phish your stakeholders at least monthly – but not as a “gotcha” program. Frame this activity as our exercise for getting and staying in shape so that we can beat the bad guys. Also, be sure to report back to the community on what the “tells” were, and how your team is performing.
The goal of CNI is to find individuals who are vulnerable to these attacks within our clients’ organizations and help teach those individuals what dangers exist in the cyber-security space. This ultimately protects our clients’ both short term and long term from a data security standpoint.