What is Social Engineering …
Social engineering is a form of attack that exploits humans by using manipulative tactics to trick victims into doing what the malicious actor needs to further perform an attack. Humans are inherently trusting in the workforce and attackers use this to their advantage. There are many forms of social engineering such as phishing, baiting, tailgating, quid pro quo, and more.
The first step malicious actors take is to investigate the target which is also referred to as the reconnaissance phase. They will find information regarding the organization, employees, emails, phone numbers, social media, third-party vendors, etc. Malicious actors will use this information to determine which social engineering attack to launch.
Social Engineering Attacks …
Phishing – An attacker sends an email to its victim masquerading it as legitimate communication to trick them into clicking on a link that either takes the victim to a site where they are asked to input login or personal information or the link downloads malware.
Baiting – This attack involves leaving a physical device such as a USB stick containing malware in a location where it could be found by the target or someone with access to the target.
Tailgating – Also known as “piggybacking”, tailgating is when an attacker follows an authorized party into a secured area. An authorized party will often just hold the door open for the attacker under the assumption that they also are allowed in the secure area.
Quid Pro Quo – This term translates to “a favor for a favor” and involves an attacker pretending to be someone exchanging a favor with the victim. This attack is best explained by using an example: An attacker pretends to be someone from the IT department calling the victim to help walk them through the steps to update their system or install a required software. The attacker is pretending to help the victim when in reality they are using them to gain access to the network by obtaining credentials or remote access.
Prevention …
Avoid clicking on links sent via email or other forms of communication if it is from an unknown source. Always double-check the email address of the sender and be aware that attackers can spoof a legitimate email address so always double-check by contacting the source.
Provide training to your employees on cybersecurity awareness and all the different social engineering attacks they might face. Education is knowledge and employees need to be aware of what these attacks might look like to help them prevent attacks.
Keep software up to date on all devices as updates usually offer security patches. When there is a known vulnerability and your systems are not patched against it attackers will exploit it to gain access.
Always verify the identities of individuals you do not know to ensure they are who they say they are. Be wary of calls claiming to be from IT, any other department, third-party vendors, or anyone claiming to need a favor from you or is offering to help you.
Maintain anti-malware up to date so the most recent version is running on the systems. Anti-malware companies send out updates to patch vulnerabilities and because they have added detection tools for new attack vectors.
Don’t Be Fooled …
Social engineering is meant to trick, fool, and manipulate individuals into doing what an attacker wants without much resistance. It is vital for companies to invest in cybersecurity training as employees are vulnerable to these types of attacks. If an employee is not informed on what to look out for the attacker will use that to gain access and compromise the network. DON'T BE FOOLED!!!