Social engineering refers to the psychological manipulation of unsuspecting users or employees to leaking otherwise private and confidential information.
This could be done in many ways, but it’s often done by any communication method like email, phone call, etc. where the attacker invokes urgency, fear or similar emotions in the victim, or unsuspectingly ask small pieces of personal information to reveal sensitive information; these attacks are hard to identify and is a challenge for organizations to deal with it.
Common attacks
Phishing
Phishing is the most common type of social engineering. Fake emails, websites, phone calls that:
- obtains personal information, such as names, addresses, PINs, account numbers, etc.
- uses uncanny/misleading links or information to trick users into believing the scam
- utilizes emotions such as fear and urgency so users are forced to respond quickly without thinking.
Spear phishing
Similar to phishing, but refers to a specific individual or group. This type of phishing is uses pre-existing knowledge of the target to make it seem more believable, hence it is more dangerous.
Baiting
Self-explanatory, baiting refers to enticing a user to hand sensitive information for something the user might want. The bait can be fake, or could be malware which will continue to steal personal information.
Quid pro quo
Similar to baiting, but the attacker disguises themselves as someone who’s helping the user, like a IT assistant or a technician in exchange for access to personal information.
Pretexting
Pretexting is the human equivalent of phishing, where the attacker disguises themselves as someone trustworthy to the victim to gain access to private information.
Tailgating/piggybacking
Tailgating, also known as piggybacking, refers to an attacker who gains access to a restricted space because they followed someone in. This could be literal; the attacker can ask someone to open a locked door in an enterprise because they ‘forget their ID card inside’.
Preventing social engineering attacks
Proper education and training
As there is a human element (the user/employee must be tricked), the most effective method is to properly educate and train users and employees to recognize suspicious intentions and unknowns.
Policies and procedures
Strong organizational polices and procedures help employees respond appropriately to suspicious requests, involving verification protocols, information handling, approval workflows and physical security security practices.
Email software and filtering
Proper software and protections can reduce the amount of these attacks exposed. For example, spam filtering reduces the amount of phishing emails and links in email inboxes.
Secure computing devices and software updates
Maintaining updated and secure systems across all devices is fundamental. Outdated software is a key target for cybercriminals, and anti-virus tools alone are insufficient without regular updates.
Individuals (users & employees)
- Think first - scammers don’t want you thinking. If a message is urgent, it can potentially be a phishing message.
- Check the facts - don’t trust random information online. Do research yourself and verify claims.
- Don’t trust links - typos in links, wrong domain, etc. many things can hidden in links. Verify the link, and make sure it takes you to the right place.
- Just because it’s from a friend doesn’t mean it’s safe - attackers can impersonate your friends. You should verify links, files and everything even if it’s a friend.
- Don’t download random files
- Foreign offers - messages that say you won something from another country, etc. are always fake.
- Never share personal or financial info - no real company will ever ask for your credentials or financial information through email.
- Ignore random offers or requests for help
Proactive vs reactive
Organizations should be both proactive and reactive in dealing with threats.
- Proactive - being ready for an attack
- Reactive - responding to an attack
Proactive
- Proper education
- Knowing the risks
- Staying safe online
- Monitoring and reporting of threats
- Regular updates and training
Reactive
- Monitoring and noticing threats
- Stopping the threat
- Saving evidence of threat
- Fixing up potential consequences
| Security awareness (proactive) | Incident response (reactive) |
|---|---|
| Stops attacks before it happens | Responds to an attack |
| Focuses on education to prevent attacks | Focuses on how to act against a threat |
| Habits for safer behaviour | Fast, smart behaviour in response to a threat |