Social engineering in its former meaning was related to social planning and determining ways to produce planned changes to society by helping people make positive changes in behavior.
Unfortunately, with the progress of technology, social engineering has taken on a vastly different meaning. Social engineering now has come to refer to the use of a variety of malicious activities accomplished through human contact. It involves the subtle psychological manipulation of computer users getting them to give away sensitive information or breach security protocols.
Social engineering can happen in numerous ways. The criminal first investigates the intended employee to learn detailed background information. This could include possible security weaknesses which would help to gain access. After acquiring the necessary information, the attacker would then move on to gain the victim’s trust which could break security practices. Social engineering can be particularly dangerous because it can involve human error and not software problems or actual security issues in an operating system. Mistakes made by legitimate human users are not always predictable, making them harder to identify and block than malware-based intrusions. Social engineering attacks usually have one of two (or both) goals:
- Disruption: Interruption or corrupting of business data, causing inconvenience or loss.
- Theft: Stealing of money, goods, or information.
Techniques Used in Social Engineering
Social engineering attacks can be in many different ways and can perform any time humans are involved. Some of the most common forms of digital assault are:
Scareware
Users are inundated with false security alarms or fictitious threats, causing them to think their system is infected with a virus or malware. They are then encouraged to install software that is malware itself.
One common example is the genuine looking popup banners appearing in your browser while surfing the web, notifying you that “your computer is infected, click here to fix” You are then offered a tool to fix the problem or you are directed to a site that actually installs a virus. Scareware is also spread through spam email, so all staff members must be cautious before clicking URLs contained in a suspicious e-mail or downloading documents.
Baiting
Baiting attacks, as it sounds, uses a fake promise to reward a victim’s curiosity or greed. Users are lured into a trap stealing their personal or company information or infecting their systems with malware. One particularly bad form of baiting involves the use of physical media to disperse malware. An attacker leaves the bait, often a malware-infected flash drive in a common area where potential targets are certain to see it (e.g., breakrooms, elevators, bathrooms, parking lot, etc.). The bait looks authentic, such as a label showing it to be the company’s information.
An employee picks up the bait out of curiosity and inserts it into a work or home computer which results in the instant installation of the malware on the system. Baiting scams do not always use physical means. Online baiting consists of enticing ads that lead to malicious sites or ads encouraging users to download a harmless-looking but malware-infected application.
Pretexting
In pretexting, an attacker gains information through a series of lies, cleverly crafted and specific to the victim. The criminal starts by establishing trust by impersonating the police, bank, government officials, or co-workers, or other persons who have right-to-know authority. The pretexter asks questions that are supposed to be required to confirm the victim’s identity, through which they gather important personal data.
All sorts of pertinent information and records are gathered using this scam, such as social security numbers, personal addresses, phone numbers, phone records, staff vacation dates, bank records, and other private details. It all sounds legitimate when the victim thinks the pretexter has authority. Think like a spy! WHO are they really? WHY do they need this information and SHOULD they have this information?
Phishing
Phishing is one of the most used social engineering attack types. We have all seen phishing scams that use email and text messages creating a sense of fear, urgency, or curiosity. Victims are then encouraged to click on links to malicious websites, open attachments that contain malware or reveal sensitive information. A common example is when an email is sent to the users of an online service, alerting them of a policy violation requiring immediate action on their part, such as a required password change. Always included is a link to a bogus website, which appears nearly identical to its’ legitimate version. Thus the unsuspecting user is prompted to enter their current credentials and new password. This sends the user’s info to the hacker. Since these attackers are often nearly identical in wording, good security on mail servers can often block these attacks. However, humans can often override security protocols.
One simple solution on most email systems is to move the cursor over the sender’s name, without clicking. The TRUE address will appear. Look for a name that corresponds to the senders. Extensions should end in .com, .net, .gov. Extensions ending in .ru, .uk, .edu or other should be carefully checked before opening or complying with a request.
Prevention of Social Engineering Attacks
Social engineers work on human feelings, such as fear or curiosity, to employ their schemes and trap their victims. Therefore, workers should be cautious whenever they feel alarmed by an email, think an offer is “too good to be true”, or if finding stray digital media lying about. Being alert is the best way to protect from most social engineering attacks taking place.
Here are some key tips to remember and to encourage employees to use to avoid trouble:
- Ensure that antivirus/antimalware software is current – Set software to automatically update or schedule updates on a recurring basis. Check periodically to verify that the updates have been applied, and routinely scan your system for possible infections.
- Use multifactor authentication (MFA) – One of the most valuable items of information that digital hackers look for is user credentials. The use of multifactor authentication helps ensure the protection of a user’s account in the event of an attempted hack. Read More
- Be especially wary of tempting offers – If an offer sounds “too good”, think again before accepting it as fact.
- Avoid emails and attachments from unknown sources – It is not necessary to answer an email if you don’t know the sender. Even if the sender seems familiar but you are suspicious about their message, verify the information via phone call or check through your browser. DO NOT click on a link in the email. Email addresses are spoofed all of the time. Look for blatant spelling or grammar errors and place the cursor over the sender’s address to display their real email address.
Make sure all of your employees and staff understand the importance of data security and the ease with which company information could be compromised. It isn’t up to just the IT professionals. Everyone must be diligent at all times. Cybercriminals are improving their social engineering skills every day!
Call a 10X Consulting Group team member at 704-931-1056 or visit us online at https://10xcg.com/and let us help you examine your IT security platforms and employee procedures to ensure your company is protected against social engineering vulnerabilities.