Social Engineering Defined
Social engineering, in information security, is a tactic used by bad actors to coax individuals into exposing sensitive information. Social engineering is a type of cyber attack that relies less on technical exploits and more on its ability to get the better of users. These attacks take advantage of human vulnerabilities such as emotions, trust or habit in order to convince individuals to take action such as clicking a fraudulent link or visiting a malicious website. Though less sophisticated than other cyber attack strategies, social engineering can have severe consquences and often can be the attacker's foot in the door for a major attack.
How Does Social Engineering Work?
Unlike a virus that depends on hacking techniques or malicious code to deliver its payload, social engineering depends on human psychology. Used well, it can be harnessed to gain access to data, systems and even buildings. For example, instead of spending months working on a new malware strain, criminals instead focus their attention on tricking employees to divulge their password over the phone by posing as an IT support technician. If they speak to the right person and say the right things, they could be on the network in moments.
Your network security is only ever as strong as its weakest link. The same applies to your workforce. Criminals use a number of different techniques to find the weakest link, techniques which focus on our fears, our likes and dislikes and our weaknesses.
Common Social Engineering Attack Techniques
The threat landscape is constantly changing, but at the time of writing some of the most common social engineering techniques include:
Phishing Attacks - This technique involves sending emails to a broad audience that either spoof a legitimate email address or contain what looks like legitimate company information in order to manipulate individuals to reveal passwords and other personal data.
Spear Phishing - Where phishing techniques target a large number of recipients in order to attract a bite, spear phishing focuses on a specific organization or individual. For example, attackers may spoof the CEO's email address and send an email to a member of the finance team authorizing a payment to be made to the attackers' offshore bank account.
Pretexting - Pretexting is possibly one of the most common forms of social engineering right now. This technique involves an attacker pretending to need personal information in order to confirm the identity of the person they have emailed or called. A common scenario involves a scammer pretending to be from the victim's bank and requesting personal information in order to continue the call.
Scareware - This social engineering technique focuses on our emotions, and more specifically, fear. This type of attack usually manifests itself as malicious software that tricks users into purchasing fake antivirus protection and other potentially dangerous software.
Access Tailgating - Exactly as the name suggests, access tailgating involves the passage of an unauthorized user, either accidental or forced, behind an authorized user into a building or secure area. This is one of the most widespread security threats affecting organizations today.
Psychological Manipulation - Attackers typically focus on four human emotions when executing an attack: fear, greed, obedience and helpfulness. Attacks may differ in their approach, but by harnessing these emotions in the right way, they know they can obtain the information they need swiftly and without detection.
The Trust Factor - There are certain people you can trust in life, such as friends, family and certain work colleagues. Attackers know this and will use this trust factor to manipulate you by sending malicious links or downloads from an email address that you trust.
How to Protect Against Social Engineering Attacks
Every organization has a human element, and humans by their very nature are curious, prone to making snap decisions and often led by their emotions. For this reason, it is essential that you develop a social engineering toolkit to help tighten your security against social engineering attacks that prey on human vulnerabilities.
Here are some of the ways you can do this:
Education - Good security policies and guidelines across your organization should make staff aware of the risks and to be vigilant of social engineering techniques.
Penetration Testing - Once your policies are in place, it's time to test them. Sending a malicious email under test conditions to a group of users or observing how employees access a building can give you a good idea as to whether policies are being adhered to.
Multifactor Authentication - Enhancing how your users access systems and data can help to avoid social engineering attacks. Combining passwords with biometrics, for example, is one way that multifactor authentication can beat the criminals at their own game.
Updating Antivirus and Anti-Malware Software - Prevention is always better than a cure. Solid antivirus and anti-malware protection will prevent malicious links and downloads from reaching users' mailboxes in the first place.
To err is human, and while awareness across your organization can help to protect against social engineering attacks, it is often the protection at the software and hardware level that keeps attacks away from your door. Forcepoint offers a range of products designed to detect phishing attempts, malicious links and downloads and many other manipulative techniques designed to compromise your systems and data. Speak to our team today to find out how to protect your organization from the latest social engineering exploits.