Social engineering is an art to manipulate users and retrieve confidential information. The types of information the attacker seeks with such attacks can vary, but when users or accounts are targeted the attacker recoups the illicit information like passwords or bank information, or accesses the user’s computer to secretly install malicious software–that will give an attacker access to all the information or even unauthorized access to a computer.
There is a subset of social engineering and phishing attacks that are doing huge damage. “Business Email Compromises” (BEC) are emails that appear to be from one person in the company and sent to another person in the company. According to a Verizon 2019 Data Breach Report, senior executives are 12 times more likely to be the target of BECs, and social engineering attacks in general.
Why is Social engineering used by Attackers?
Cybercriminals use social engineering tactics because it is usually easier to exploit a user’s natural inclination to trust than it is to discover ways to hack software. As an example of this, it is much easier to manipulate someone into giving you their password than try hacking their password (unless the password is really weak).
Security is all about knowing who and what to trust and it is important to know when not to take a person by their word and when the person you are communicating with is who they say they are and not some masquerade. The same is applicable to the online interactions and website usage, which brings clarity to when to trust the website we have logged in to and when to understand the security concerns.
Importance of Understanding Social Engineering
Almost every type of attack contains some kind of social engineering. The classic email “Phishing” and virus scams, for example, are weighed down with social overtones. Phishing emails attempt to convince users they are in fact from legitimate sources, in the hopes of procuring even a small bit of personal or company data. Emails that contain virus-filled attachments, meanwhile, often purport to be from trusted contacts or offer media content that seems innocuous, such as “funny” or “cute” videos.
In some cases, attackers use more simplistic methods of social engineering to gain network or computer access. For example, a hacker might frequent the public food court of a large office building and “shoulder surf” users working on their tablets or laptops. Doing so can result in a large number of passwords and usernames, all without sending an email or writing a line of virus code. Some attacks, meanwhile, rely on actual communication between attackers and victims; here, the attacker pressures the user into granting network access under the guise of a serious problem that needs immediate attention. Anger, guilt, and sadness are all used in equal measure to convince users their help is needed and they cannot refuse. Finally, it’s important to be aware of social engineering as a means of confusion. Many employees and consumers don’t realize that with only a few pieces of information — name, date of birth or address — hackers can gain access to multiple networks by masquerading as legitimate users to IT support personnel. From there, it’s a simple matter to reset passwords and gain almost unlimited access.
Social Engineering Attacks
Social engineering attacks refers to a broad range of methods to obtain information from users. Among the tactics, few well-known attacks are:
- Phishing—Emails, texts, etc. sent to fool users into providing their credentials, clicking a link that installs malicious software, or going to a fake website.
- Spear phishing—Similar to phishing but with better crafted, tailored emails/texts which rely on information already gathered about the users. For example, the hacker may know that the user has a particular type of insurance account and reference it in the email or use the company’s logo and layout to make the email seem more legitimate.
- Baiting—Attackers leave infected USBs or other devices in public or employer locations in the hopes they will be picked up and used by employees.
- Quid quo pro—In such attacks, cybercriminals impersonate someone, like a help desk employee, and interact with a user in a way that requires getting information from them.
Prevention Techniques/Safeguarding against Social Engineering
Most techniques employed by social engineers involve manipulating human biases. 2019 reports have struck how these attacks have shifted away from infrastructure (which is getting less and less vulnerable) towards people (who will always have human fallibility). To counter such techniques, an organization/Individual can take below measures to avoid Social engineering attacks.
- Trust: Defy the acquaintance exploit; the users must be trained to not substitute familiarity with security measures. Even the people that they are familiar with must prove that they have the authorization to access certain areas and information. Hence, passwords/ important information must not be shared with even familiars.
- Knowledge: Encountering daunting attacks, users must be trained to identify social engineering techniques that fish for sensitive information and politely say no.
- Tricks and Tips: When bumping into phishing techniques, most sites such as Yahoo use secure connections to encrypt data and prove that they are who they claim to be. Checking the URL may help you spot fake sites. Avoid responding to emails that request you to provide personal information.
- Access Management: To avoid tailgating attacks, users must be trained not to let others use their security clearance to gain access to restricted areas. Each user must use their separate access clearance to sustain a tracking system.
- Hierarchy: To counter human curiosity, it’s better to submit picked up flash disks to system administrators who should scan them for viruses or other infection preferably on an isolated machine.
- Training: To counter techniques that exploit human greed, employees must be trained on the dangers of falling for such scams.
- Updated Security system: Make sure automatic updates are engaged for Firewall/Windows/Antivirus, or make it a habit to download the latest signatures first thing each day. Periodic check to ensure the updates of the Operating system and antivirus is proven to be a significant step to avoid any Social engineering attack.