The internet is a wonderful tool that helps us communicate with people all across the globe. Our constant connection makes information available to anyone with internet access, whether through their mobile devices or computers, and learning has never been easier or more accessible than it is today. However, there are drawbacks to the widespread use of the internet as a means of social connection and communication. Our personal information is now more vulnerable and easily accessible than ever.
Unfortunately, there is no shortage of groups and individuals who take advantage of this vulnerability for their gain and will contact individuals and members of organizations to extract and exploit this information. This phenomenon is known as social engineering.
What is Social Engineering?
Social engineering is a term used to refer to a broad range of manipulation tactics to obtain sensitive information about an individual or organization illegally. It utilizes psychology against the victim, preying on their trust, interest, and good nature to exploit their sensitive personal data.
Sensitive information may include personal identifiers such as full name, address, birth date, social security number, login credentials, and financial information like credit card numbers or bank account info.
The same (or similar) tactics that malicious actors use on individuals can also be used against groups of any size. Even the biggest and most reputable companies, most commonly financial institutions, have fallen victim to a social engineering attack in the past. In the case of attacks on organizations, attackers may be looking for things such as secure passwords, confidential files, and access to customer information like contacts and saved payment methods.
There are several popular methods of social engineering that thousands of people fall prey to every day. Let’s brush up on a few of the most common forms of social engineering:
Phishing is a common type of social engineering. Phishing involves deploying fraudulent emails, text messages, and instant messages on social networks to gain access to sensitive information.
Messages may claim to be from a company or individual you are familiar with to gain your trust before directing you to click on a link or attachment. In some cases, the attackers may ask you directly to give them the information they’re looking for, like requesting payment details or login usernames and passwords. Malicious actors attempt to acquire sensitive personal information such as your social security number, as the Federal Trade Commission (FTC) detected in many cases. Sometimes, they request to access your computer via external software that will allow them to control your screen.
Phishing usually entails sending emails to many people in an attempt to contact as many people as possible. There are, however, a few types of phishing that target specific individuals.
- Spear Phishing – Spear phishing is a phishing attack targeting specific individuals or groups inside a corporation. It’s a dangerous kind of phishing that uses emails, social media, instant messaging, and other platforms to encourage users to expose personal information or engage in actions that compromise networks, cause data loss, or result in financial loss. Traditional phishing strategies include sending mass emails to random persons, but spear-phishing focuses on specific targets and necessitates more investigation by the attacker.
- Whaling — Whaling is when an organization’s leaders, such as the CEO, VP, CFO, and other high-profile targets, are targeted because they are considered the “big fish” of the organization.
Vishing and Smishing
Vishing is similar to phishing, except that the malicious actor makes phone calls or audio recordings to deceive people into giving over sensitive information like passwords and credit card numbers.
Threatening or scaring the victim into revealing personal information or money is a common tactic the caller uses. Vishing schemes mainly target the elderly, although anybody without proper training may be a victim.
Smishing (short for SMS phishing) is similar to and employs the same methods as email phishing and vishing, except instead of email, it uses SMS/text messaging.
Another method of social engineering attack that you may be aware of is false advertisement. Its name is as it sounds: an ad is placed on a website or sent directly to your inbox promising a high-value service or a desirable product at an unbelievably low price. Sometimes the ads even state that you’ve won money or luxury items–all you have to do is visit their website and enter your information.
Not only will you not be receiving the promised goods (as you may have figured out, they never existed), your data is now in the hands of an unknown malicious party that intends to use or sell your information illegally.
Pretext can be used with other types of social engineering to further manipulate the victim into exposing personal information and is often a component of phishing. It involves the attacker posing as a different person, real or imaginary, and a manufactured scenario in which the target must provide sensitive information to resolve a problem or assist someone else.
In some instances, the aggressor may impersonate a company representative and request payment details from the target to pay a fraudulent bill.
In other cases, attackers will pose as a friendly individual facing trouble and asking for financial help. They may ask you to send money via a “secure” link they’ve provided, a third-party money transfer app, or a wire transfer.
Tailgating and Piggybacking
Tailgating is the practice of following an authorized user into an area nearby without being noticed by that person. A bad actor can follow another individual by grabbing the door before it closes or blocking the door with an item.
Piggybacking is a lot like tailgating. The critical difference between the two is that in a piggybacking scenario, the authorized user is aware of the other person and permits them to utilize their access. Someone lugging a package or a construction worker entering with a ladder may compel a friendly authorized user to hold a security door open. Once inside, an attacker can plant a device on the network for remote access.
Baiting entices the victim into a situation by putting something appealing in front of them. A hostile actor may leave USB drives on the ground near the target company or distribute them at a conference. When the affected user plugs the USB drive onto their computer, a file that appears to be images or a word document is an executable that installs remote access malware.
Quid Pro Quo
Quid pro quo (Latin for “something for something”) is a social engineering approach in which the attacker requests information in return for services. A hostile actor may attempt to call the company by impersonating the IT department’s phone line to contact someone with a technical problem. After connecting with someone who requires assistance, the attacker will ask for their password while ostensibly troubleshooting their computer.
How Do I Protect Myself from a Social Engineering Attack?
The good news is that there are several ways to protect yourself, and you’ve already taken the first step. Arming yourself with knowledge is the first defense against would-be transgressors. Other easy methods of protection are as follows:
- Perform regular social engineering penetration tests.
Penetration testing can help you find and secure vulnerabilities in your security systems. It’s akin to a dress rehearsal for a cyber-attack, so you can bulk up your defenses before you genuinely need them. Also, performing routine social engineering assessments against your organization helps train employees against actual social engineering attacks.
- Don’t click links or open attachments from untrustworthy sources.
If you don’t know the sender, don’t click on any links or attachments they include in the messages. Links often take you to spoof websites or install malware on your device. They may even breach your network, allowing them access to every device connected to it so they can steal information from multiple users at once.
- Double-check the contents of emails, texts, and DM’s.
If you accidentally open a suspicious-looking message, inspect the sender’s email address. Attackers will often add or drop a letter in the email address when posing as a person or company, and it’s easy to miss if you quickly skim over it. Check out the subject line and the body of the message for any inconsistencies in spelling, grammar, and holes in the story.
- Don’t offer any personal information.
This one may seem obvious, but even answering seemingly innocent questions from a suspicious source can leave your contacts or coworkers vulnerable to an attack if the fraudster uses the information you gather to gain the trust of another intended victim.
- Always verify credentials.
If you harbor any doubts about the identity of the person contacting you for information, try to verify it by contacting the person or company directly using the contact information publicly available on their website or search engine listing. Compare the credentials on the website with those you’re receiving a message from; if they’re not matching, the person is not who they claim to be.
- Install antivirus software.
More than 970 million pieces of malware are circulating the web, so the chances of coming across a potential threat are high. Antivirus software will help keep you safe in a security breach by detecting and destroying installed viruses intended to steal your data.
- Don’t fall for false advertising.
If something seems too good to be true, it probably is! Be especially vigilant on public forums and websites where users can create listings, as these are popular places for offenders to set their traps.
- When in doubt, play it safe.
If a message looks suspicious, it’s best to play it safe! Opening an email or text message is sometimes enough to give attackers access to your devices and data. If you think the message could be fraudulent, alert your IT department and don’t open it.
- Ensure you have the right policies and procedures.
If you have employees/coworkers who suspect they were sent a phishing email or they do not recognize someone in their workspace, they need to know who to contact and what the process is to report the suspicious email or person. Having the proper policies and procedures ensures that you and your staff know how to respond to attacks.
Where Do I Go from Here?
As technology advances, social engineering attack methods evolve. It’s vital to remain current on available information regarding cybersecurity so you aren’t left vulnerable to those with criminal intent. Continue to update your anti-theft protocols and test for potential breaches often.
Want more information about social engineering and penetration testing? Visit our “Ultimate Guide to Penetration Testing” page.
If you want a top-rated penetration testing company to perform social engineering, contact us to get started. Artifice Security utilizes a combination of human and technological approaches to simulate social engineering attacks against your organization. We can provide advanced phishing simulations for electronic social engineering, physical social engineering to test your onsite personnel, or a combination of both. Artifice Security tailors each assessment to your organization, customers, and employees.