Social Engineering [NOUN] – in the context of information security, it is the use of deception to manipulate people into divulging confidential or personal information that could be used for fraudulent purposes.
“Today, social engineering is one of the greatest security threats facing organizations" ¹. When successful, attackers gain legitimate access to information, making it hard to spot (or stop) before it’s too late. It is a non-technical strategy that relies on human interaction to ambush people.
Social engineering is effective and hard to detect. Investing in hardware and software solutions can help you protect your business but won’t be enough. Due to the deceptive nature of these tactics, it is important to gain understanding of the different strategies used, and how to recognize them.
The concept of social engineering has been around for centuries. Greek mythology introduced this idea during the Trojan War, where the Greeks won by tacitly building a hollow horse and filling it with soldiers. The Trojans interpreted the horse as a gift, thus bringing it into the gates of the city of Troy. Later while the city was asleep, the Greek soldiers crept out of the horse and destroyed Troy, ending the war.
The "Trojan Horse" (or just "Trojan") is a common tactic cybercriminal use to develop a virus or malware that masks its malicious intentions by making its appearance look harmless and normal. An example of a trojan is a pop-up that says your Adobe Reader is outdated and you must install the software to update. If you install the software, the trojan will attack your system and steal your personal information. Trojan horses are only one of the billion different social engineering attacks that involve information technology.
Another common social engineering attack cybercriminals are well-versed in are "phishing" emails. While trojans are traditionally virus-based, phishing, on the other hand, are email-based. Phishing can be thought of as an email-based Trojan horse, where the email deceives you by seeming credited, however, is corrupted and attempts to harness your sensitive information. Hackers are very clever these days with their approaches and tend to pose as people you trust the most such as, your CEO, accountant, or even your best friend. It is important to note that any system that uses the internet (PC, Mac, smartphone, tablet) is prone to catching malware. For that reason, it is important for you and your company to have professionals, like Techmedics, secure and protect your systems from cybercriminals that may steal millions of dollars.
Types of Social Engineering Strategies
Let's dive right into commonly used social engineering tactics to look out for.
If you would like to get a better understanding of phishing emails, you can learn more here.
|By context, it should be clear what baiting is. It’s dangling something so that a potential victim will act. It can happen anywhere. For example: Leading people to a link disguised as a newsletter, but instead takes you to a malicious site. Always be cautious when clicking links on social media, P2P site, or anywhere else.|
|Phishing emails can sometimes get past spam filters because they usually use plain text. Senders may disguise themselves as coming from a reputable source, like Microsoft Support, IT administrators, banks, or social sites like LinkedIn. It’s best to look for signs of fraud within the email clients. Check for things like sender email address, unexpected messages with attachments, “to” and “from” address, and other details.|
|Pretexting occurs when an invented scenario and acquired information are used to “lure” the potential victim. This includes information like social security number, bank account number, passwords, etc. People are inclined to share their information because they feel reassured that the source is legitimate. Pretexting is harder to recognize, and protection depends on the media used by the “bad actor”. See our tips below for best practice against this type of attack.|
Quid Pro Quo
|This can occur when an attacker requests private information from someone in exchange for something else. Like login credentials for a “free gift”. The gift often ends up being some variation of malware. If it sounds too good to be true, it probably is!|
|As the name indicates, spear phishing is an extremely targeted form of phishing, usually focusing on one individual or business department. The attackers have done their research and most likely already know some information about a potential victim. These emails work. People open 3% of their spam and 70% of spear-phishing attempts.|
|Tailgating involves the act of targeting employees that lack proper authentication to gain access to a restricted area of the company. A common example of tailgating is when a person impersonates a delivery driver and strikes conversation with an employee to gain access inside the company. You must strictly adhere to business processes to prevent tailgating.|
|Rogue security software tricks users into thinking they have a virus/malware on their computer, and then prompts a download of fake software to “remove” the malware. This will introduce a virus or malware, thus giving access to the perpetrator.|
3 Tips to Protect Your Business
1. Layered Security and Backup
This is a loaded topic. Though we would like to cover every aspect of a layered security approach, we’ll save that for another blog post.
What do we mean when we say, “Layered Security”, in simple terms? Think of your house, fully equipped with locks on the doors. Some people may think that’s enough to keep out the bad guys, but it won’t stop everyone. We would recommend you also install a gate, attack dogs, surveillance cameras, security guards, and a shark-filled moat.
Technically speaking, however data needs to be protected at the various levels of your company or organizations infrastructure. Opinion varies widely on the “layered security” approach, but this model does an excellent job of summing things up.
Also, as stated by the Department of Homeland Security, having a Backup and Disaster Recovery solution is the number one recommendation to recover from attacks. To learn more about BDR and our recommendations, contact us here.
2. Updating Business Processes
Some things are unavoidable due to the human factor. Should something get past your layered security and find its way to you or a fellow employee, business processes should constantly be updated to close any loopholes internally. For example, anything that involves wire transfers or issuing payments over a specified threshold should require signature approval from the CEO and CFO.
Another example might include an employee who is claiming to have forgotten or lost a scan key fob to get into the building. Should someone be locked out of the building, they must check in with security or reception before entering the building. This could help you prevent such attacks as tailgating.
Also try making basic cybersecurity training mandatory for all new employees. Which leads us into the next tip.
3. Ongoing Education for Employees
Education is important. You’re only as strong as your weakest link.
Scheduling mandatory cybersecurity training for all employees on a yearly basis is a strong recommendation. When employees know what to look out for, they can be a major asset to your cybersecurity posture. Send them information about local security events and encourage their attendance. See if your local chamber of commerce is hosting any security events or education webinars. You can also follow us on social media and sign up for our newsletter to learn about any upcoming security events in the Greater Los Angeles area.
Social Engineering may make its way into your business at one point or another. By nature, social engineering is a shape-shifter and highly adaptable. You could dump your entire IT budget into cyber security products, and that could help. But, social engineers might still find a way around all those protections/precautions. Use our 3-pronged approach to get started protecting your business network.
We like to offer our clients onsite training for their employees, making the educational aspect fun and easy to understand, packaged with the option for security products that will help implement a layered security approach. Get in touch to learn more about our security packages.
"Anyone can be the target of a spear-phishing attack […] While an attacker may not be interested in you specifically, you can be their foothold into a secure computer system that may contain the PII (Personal Identifiable Information) of customers, executives and other personnel as well as critical data. […] Everyone has value" ³.