Social engineering is one of the foremost ways that hackers and other bad actors will try and penetrate an organization's cybersecurity defenses. Reason being? People. People can be one of your weakest lines of defense if not properly trained and informed.
Therefore, rather than attempting to breach your super-encrypted, extra-protected, and constantly on-watch defenses, it's easier for a bad actor to simply bypass them by having an employee (who already has access) give them access to confidential information.
Now, this isn't saying that you have to get rid of all your people to be cyber secure, rather we're saying that you need to be aware of the social engineering techniques that target you and your staff. Once you and your staff are aware of the types of social engineering attacks that are most likely to be used against you, you will be much more resilient to attacks.
Types of Social Engineering Attacks
Probably the most widespread and well-known of social engineering techniques, phishing is the process of sending emails (or texts, which is known as smishing) appearing to be from reputable sources in an attempt to get someone to reveal personal information.
These can take the form of emails seeming to come from coworkers, or impersonating reputable brands such as Google and Microsoft or government institutions such as the IRS. The idea is that you will see something familiar and won't look too closely. The goal of a phishing email could be to get you to open a malicious attachment or to click a link and enter your login information on what looks like a familiar website, but in reality is a spoofed website, designed to steal your credentials.
A personal example, one that I almost fell for:
Having just started a new job I was at my most vulnerable for phishing attacks. I hadn't gone through anycybersecurity awareness trainingas of yet, and this was my first encounter (to my knowledge) of a phishing email.
The email read as coming from the CEO and owner of the company, the email address at first glance looked the same, the name and signature were correct, and there were no links in the email, nothing to be suspicious of. It was a simple email, asking me to go buy some gift cards for some clients that were coming later in the day. Had my coworker not stopped me I might have ended up buying those gift cards.
Now, this example might appear easy to spot, but the truth is thatanyone can fall for a phishing email. That's why training and frequent vigilance is so important to a strong cybersecurity strategy.
Similar to phishing in some instances, baiting is the act of offering something in return for login credentials or other personal information. It may come in the form of an email, where a free download or trial is given in return for logging into a platform.
Baitingcan also be done physically, in the form of an official-looking USB drive sent in the mail, prompting a user to plug it in to download a report or piece of software. Something that the user might want.
This can be an extremely successful method of attack, as it preys on a person's desires and impulsivity. How often have you clicked on something for the simple reason that something free was promised to lie on the other end?
If you've ever received a suspicious phone call or email demanding your credit card information or your social security number because "The IRS is looking for you!" or something similar you should be well aware ofpretexting. Pretexting is a type of social engineering attack in which a bad actor pretends to be someone with authority to garner information. This can take the form of an IRS employee, a coworker, or someone from your bank. The key is that this "character" that the bad actor personifies is someone that you would typically trust without question. In fact, the less you question, the better for them.
More sophisticated threat actors may perform background research on their targets (this is known as Open Source Intelligence Gathering, or OSINT) and include very specific information in their pretext. For example, if you post on social media often about your gardening hobby, the attacker may pretend to be someone from a prestigious gardening organization calling to give you an award (“...but I just need your social security number and driver’s license to verify your identity first.”)
An easy way to defend against pretexting is one of our favorite mantras, "Always verify!". If you insist on hanging up and calling your bank directly, the IRS, or going and talking to your coworker in person, rather than just assuming whoever contacted you is legitimate, you can avoid many of the dangers of pretexting. Always verify that the person you're talking to or emailing is who they say they are.
Where previously discussed social engineering techniques rely on trust, lack of awareness or knowledge, or greed,scarewarerelies on a user's fear to trick them. Scareware typically takes the form of malicious software or pop-ups that attempt to scare you into visiting and downloading more malicious materials.
Pop-ups that try to get you to click on them, claiming that your computer is infected with malicious files or pornography are common scareware tactics. They will mimic logos of well-known antivirus software companies and generally attempt to appear legitimate. This is another case where "Always verify!" works wonders. Or even better, just don't click on any weird or suspicious popups.
5. Quid pro quo
Similar to baiting, quid pro quo is when a bad actor offers something in exchange for personal or confidential information, such as your login credentials. This might take the form of someone calling in posing as a Cybersecurity Expert, for example, they offer a free analysis of your systems if you give them your login credentials so that they can access your servers remotely.
Another common approach to quid pro quo social engineering is posing as a researcher, where they claim that you will receive $100 to be part of a research study, as long as you give them access to your organization's network.
Countermeasures to Social Engineering
So we've scared you sufficiently by this point, all five of the above social engineering techniques seem hard to defend against, so how do you do it?
Regular and frequentcybersecurity awareness trainingis perhaps the number 1 defense against these types of attacks. There's no way to increase your security through software and hardware to the point that social engineering could never be an issue.
You need people to have a business or organization, therefore you will always be vulnerable to a social engineering attack. Ensuring that your employees are constantly on the lookout for common scams and they are aware of what those scams might look like is extremely important to your cybersecurity.
Having password best practices in place such as using a password manager, using long pass-phrases instead of short passwords, and, perhaps most important, using Multi-Factor Authentication can also help.