A study by a security firm Proofpoint identified that social engineering was the top cyber attack technique in 2015. Instead of focusing on automated attacks as in previous years, attackers are getting you, or your employees, to do their dirty work. If you think your staff and senior management team are that not that gullible, think again. Social engineering is a sophisticated security threat that even the most security conscious have been tricked by.
What Is Social Engineering?
Social engineering starts with engagement between the attacker and the ‘victim’ via social media, email, or mobile apps. The aim is to get the target to carry out an action that allows the attackers to infect IT systems, steal data or transfer money. While automated security attacks are a blanket approach to breaching an organisation’s defences, social engineering can be much more targeted; targeted at specific businesses and at specific assets, and often targeted at specific employees, too.
The following are some of the more popular methods used in social engineering campaigns, giving an identification of what they may look like and their outcome if successfully triggered:
Baiting: Baiting can be a very targeted attack where the attacker leaves a physical device, such as a USB flash drive infected with malware in a prominent place. This could be at a conference, unbeknownst to the organisers, and could be branded so it can be passed off as official conference material. Once loaded onto a computer by a delegate or other user, malware is installed and activated. Similarly, mobile apps are used in this way with attackers creating cheap or free apps that when downloaded infect mobiles (and the systems they access) with malware.
Phishing: This is an email attack that purports to be a legitimate communication, often from a trusted source. The aim of the attack is to get the recipient to either click on a malware infected attachment or link, or to get the recipient to divulge personal or financial information.
Pretexting: Pretexting involves having a false motive, in other words lying. Perhaps the most common technique is to request personal or financial information in order to confirm the identity of the victim. Potentially this request will come after a number of other communications that are designed to build trust with the recipient before persuading them to part with this information. In other cases the attacker may pretend to be a colleague who needs the information quickly, or a higher-authority; relying on the victim not to question their superiors and provide the information.
Scareware: Another form of social engineering is to convince the victim that they’re at risk and offer a solution to put it right. For example, making the recipient think they’ve downloaded malware or illegal content, and offering a fix. The solution is the actual malware and the tactic preys on our concerns about security, and in many cases our employees’ anxiety about telling someone that they have infected the system.
Spear phishing: Just like phishing but with another layer of sophistication, spear phishing targets specific employees within an organisation. In some cases the attacker may have an employee’s actual name, in others they may target people based on their role within the company. For more on spear phishing read this post: 28% of Spear Phishing Attacks Are Getting Through Businesses Security Defences.
How To Protect Your Organisation
Security awareness training is one of the most effective ways to prevent social engineering attacks. If your employees know what to look out for, are vigilant, and question all approaches for information that are uncharacteristic or deviant from security and data protection protocols, they are less likely to become an ‘enabler’.
A very effective way to help employees, and senior members of staff, to understand how social engineering campaigns works is to get your IT provider to run penetration tests using these techniques. This will highlight vulnerabilities and identify employees and other users that are at most risk of being on the receiving end of this type of security attack.
My company is hosting a security workshop for directors and senior business leaders to help you understand the biggest threats to your business – against which your antivirus, firewalls and other IT security systems are powerless to stop – as well as to give you advice on insurance, and whether it is relevant to you, in the digital economy. Find out more about the security workshop here.