Social Engineering - what is it?
What Is Social Engineering?
Most people assume that hacking always involves the use of complicated programs that attack computer networks. In reality, most successful hacks involve some level of human interaction.
Hackers often attempt to trick a person into breaking normal security procedures, compromising the integrity of a personal computer or computer network. They will also attempt to obtain valuable information including credit card details, banking details, or passwords. Manipulating people in this way is called social engineering.
Social engineering uses many of the techniques employed by conmen. A hacker will appeal to a person’s greed or vanity, for example, to compel them into performing a certain action. Sometimes they will pretend to be in a position of authority and demand access to sensitive information.
The hacker’s goal might be forcing the person into revealing a password, revealing personal information, inserting a USB drive into a computer, or installing a piece of software. Once this action has been completed, the hacker is given the information they need to benefit financially or compromise the security of a computer network.
Common social engineering attacks
The most common types of social engineering attacks include:
Phishing involves the sending of fraudulent emails that are designed to look like legitimate emails. For example, a hacker might create and send a fake email that looks like it has come from a bank. The email might ask for a person’s bank details or other personal information. Sometimes the hacker will ask for information that helps them access a computer network or social media account.
When the phishing attack is narrowly targeted on a specific individual or organisation, it is called spear phishing. These attacks can be more sophisticated, with hackers using personal information they have found about a person to construct a very convincing email. To the untrained eye, a spear phishing attack will look very similar to an email from a co-worker or friend.
Baiting Baiting is one of the oldest forms of social engineering. A hacker will leave a malware infected device in a location where it can be found. They trick a person into plugging the device into their computer so the malware can be transferred — compromising the security of a computer network.
The classic example of an effective baiting attack is leaving a USB stick marked “Employee salaries” in an office car park. Employees are always curious about how much their co-workers are paid, so they will pick up the USB stick and insert it into their computer, transferring the malware onto the network. This is a classic con that appeals to a person’s vanity.
Hackers might even send a person a free smart phone in the mail, telling them that they won the device in a contest. The phone could be infected with malware that can spread to their home computer or work computer.
Scareware Scareware attempts to convince a user that they already have malware on their computer and must install an application to remove it. You may have seen scareware on the Internet before, in those bright flashing advertisements that claim your computer is infected with a virus. Of course, the cure is actually the disease! The program that is downloaded contains malware that compromises the computer.
This type of social engineering is when one party lies to another to gain access to sensitive information. This could be as simple as a person ringing an employee and asking them for their network password or certain personal information. The hacker often pretends they are from the human resources department or IT department of a business. They often demand the information aggressively and pretend to be in a position of authority.
Avoiding social engineering attacks
Here are a few simple steps you can take to protect yourself and your business from social engineering attacks. They include:
Run regular penetration tests A penetration test will test a computer network to find vulnerabilities that a hacker could exploit. Social engineering penetration tests use standard social engineering tactics to identify employees who are susceptible to this hacking technique. Once identified, these employees can receive additional information security training.
Slow down and verify Social engineering methods like phishing, pretexting, and scareware rely on pressuring a person to act quickly and divulge sensitive information. Train yourself and your staff to verify the source of communications before acting. Phone calls, emails, and other points of contact should be checked before any sensitive information is divulged.
Ensure anti-malware and anti-spam software is up to date All computers in your computer network should use anti-malware and anti-spam software. This will protect your network from employees who attempt to install scareware or fall for a phishing attack that installs malware.
Train your staff to identify and report social engineering attacks
Staff should be made aware of the risks posed by social engineering. They should be taught to:
• Be suspicious of unsolicited phone calls from individuals asking about sensitive information
• Avoid providing personal information to other staff members unless they are certain of the person’s authority to have that information
• Not reveal any personal or business-related financial information in emails
• Understand how baiting attacks occur and to report them to security staff immediately
• Always check the URL and security information of the websites that they are visiting
• Use anti-phishing technologies available in web browsers
• Report suspicious activity and unsolicited contacts to security staff
If you would like more information about social engineering and are interested to know how your people can be engaged to recognised and avoid the scammers why not get in touch.