As companies implement more robust security systems, cybercriminals are increasingly adopting social engineering techniques to circumvent them and target people within the organization directly.
What makes social engineering particularly dangerous is that it relies on human error, rather than vulnerabilities in software and operating systems. Mistakes made by unsuspecting users can be more difficult to detect because they may not be seen as a malware-based intrusion from the outset.
What is Social Engineering?
Social engineering is the term used to categorize a wide range of malicious activities carried out via human interaction. It uses psychological manipulation to deceive users into granting access to a critical resource or giving out sensitive information.
Social engineering attacks typically occur in 4 stages:
- Preparation — Attackers collect background information about their intended victim(s) through social media, email, text messages, the dark web, or other sources. The most dangerous information gathered would be potential points of entry and weak security protocols to proceed with the attack.
- Infiltration — Attackers will attempt to gain the victim’s trust by posing as familiar contacts or authorities. They may even try to gain access to higher-value targets such as system administrators and IT executives.
- Exploitation — Attackers use details about the victim to “persuade” them to reveal sensitive information such as account credentials, payment account details, and other information that they can use to conduct a cyberattack. This persuasion usually involves a link, an attachment, or a website.
- Disengagement — Once the attack vector has been provided, the attackers cut off communication with the victim, carry out their intended malicious activity, and disappear.
Types of Social Engineering Attacks
Besides your typical phishing scams, social engineering attacks can come in several different forms. The following are the 5 most common forms of social engineering attacks.
Watering Hole
A watering hole attack, or “water holing”, consists of injecting malicious code into the public pages of a website. The website is targeted by attackers because it’s known to be visited by specific individuals of interest.
Once a victim visits the page of the compromised website, a backdoor Trojan is installed on their computer. Choosing which website to compromise, studying the victim’s online habits, and adopting an efficient exploit code are all steps that require significant effort in the preparation stage of this attack.
Whaling Attack
For cybercriminals, the word whaling is used to indicate that the victim is a big target to capture. What distinguishes whaling attacks from other social engineering methods is the choice of targets: executives of private businesses and government agencies.
Whaling adopts the same methods as spear-phishing attacks.
A scam email is designed to impersonate a critical business email sent from a legitimate authority, such as relevant executives of important organizations. Typically, the content of the message sent is intended for upper management to address with great speed or immediacy.
This can range from anything like a report of some kind of fake company-wide concern or a leak of highly confidential information.
Pretexting
The act of pretending to be someone else to obtain private information is called pretexting. In this method of social engineering, attackers create a fake identity and use it to acquire personal information.
The success of a pretexting attack heavily depends on the attacker’s ability to build trust. Sometimes, this may involve the attacker having to adopt several identities to convince the victim.
The more advanced forms of pretexting will try to manipulate victim(s) into performing an action that enables an attacker to exploit a point of entry into an organization. An attacker can then impersonate an external IT services operator to ask internal staff to allow them access to systems within the organization.
Baiting
Another weakness attackers will exploit is human curiosity. Not to be confused with other social engineering methods, baiting is the promise of goods or services that hackers use to trick the victims into downloading malware willingly.
A classic example of baiting is an attack scenario in which victims will receive a fake notification of their computer getting a virus. Attackers will use this opportunity to then trick the victim into downloading a malicious file disguised as a software update or as security software.
Quid Pro Quo Attack
A quid pro quo attack is a variant of baiting.
Instead of promising to simply give a target something, a quid pro quo attack offers a service or a benefit based on the execution of a specific action, usually in exchange for information or access.
How Can You Protect Yourself from Social Engineering
Now that you’re aware of the most common social engineering attacks, you can be more alert and protect yourself online from malicious actors. The following tips can help further improve your vigilance:
Use Multi-Factor Authentication
User credentials are the most dangerous pieces of information attackers can acquire. Your company should require users to provide a secure password or use an approved device (ex. an authentication app on a phone) every time they log into your networks, systems, and applications.
Primary Guard’s Access Control Management is an easy-to-deploy solution that can increase account security for your applications.
Keep Your Antivirus Software Updated
Make sure automatic updates are engaged and make it a habit to periodically check that the updates have been applied. Always scan your system for possible infections.
Security Awareness Training
Conducting end-user security awareness training among employees is the first line of defense against social engineering. Employees of all levels in a company should be made aware of how to avoid revealing any sensitive information at all via email or phone.
Endpoint Security Tools
It should be a requirement that all user devices within the company must be installed with endpoint security measures. Endpoint protection tools can identify phishing messages that link to malicious websites and warn the user before any action is taken.
Primary Guard’s Business Endpoint Protection can intercept and block malware and ransomware infections on a user’s device in real-time.
Penetration Testing
Consider conducting a penetration test to identify weaknesses in your organization. It can help you discover employees or systems you need to focus on protecting.
Scantrics has FREE online penetration testing tools that have the necessary capabilities to scan your entire website and prepare a comprehensive report of all the possible threats to your website.