Social engineering- The art of of human hacking, this famous method of cyber crime continues to grow infrequency and sophistication, it is crucial to prepare your company for the worst.
Here’s a short guide on the threat of social engineering.
Over the past few years, social engineering has become a cyber criminals favourite method of attack. It has been proven to be the most successful way for a criminal to get “inside” an organisation.
People tend to forget criminals are very patient people, they will happily sit and wait for the right opportunity to occur. A social engineer will find out everything they about an individual or even a business. This could be through the means of social media or finding the targets data online.
Defeating social engineers requires constant attention, especially with hacker who are becoming more sophisticated with their methods. There are numerous forms of social engineering, here is what to look out for:
Tailgating- Don't Trust Anyone
This physical method of social engineering is very simple, all it takes is an unauthorised individual to follow an authorised employee into the company building. The aim of tailgating is to obtain valuable information from the company. Tailgating can easily occur without anyone knowing, all it takes is for someone to hold a door open for an individual because “they forget their fob key”. The social engineer might even ask to borrow an employees work device such as a mobile or laptop to complete a simple task, when in fact their intentions are to download malware onto the device or steal data from it. As humans we tend to fall for this trick very often. Human error continues to be one our weaknesses and criminals will continue to exploit it at every possible opportunity.
Phishing- The Oldest Phish in the Pond
I’m sure you have heard of this one, phishing is the most successful cyber crime out there, it has been for quite a while now. It’s quite scary to think a simple email in an inbox could potentially destroy your business. The goal of phishing is pretty straightforward, the criminal will get the victim to hand over their personal details, whether it is their bank details or data from the company they work for. More often than not the criminal succeeds. This type of social engineering attack involves the criminal researching their targets that they wish to impersonate or attack. The constant advancements of phishing are one of the many reasons why they’re still successful and will continue to be until everyone understands how to spot them.
Whaling- Going After the Big One
Unlike your traditional phishing, Whaling is a much more targeted form of attack it has a more specific target. Whaling targets senior level employees such as executives and CEOs, pretty much anyone who has access to valuable data. This preference of targeting “the bigger fish” in an organisation is where the term “whaling” comes from. Whaling differs from phishing, it usually targets an individual or a very specific group of people. This type of social engineering threat involves the criminal researching their targets that they wish to impersonate or attack. Once they have gathered all the information they need, they will throw their hook in and simply wait.
Watering Hole- Predator vs Prey
Insider Threats- The Human Based Social Engineering Attack
For most companies, they assume they will never be targeted by one of their own. But in fact, this type of attack is becoming quite common due to insiders having a significant advantage over external attacks. They already have access to company data as well as knowing the ins and outs of how the company runs on a day to day basis. The social engineer will most certainly be aware of the companies weaknesses as well, this is where the insider will use those weaknesses to their advantage.
Spear Phishing- Bait, Hook and Catch
This type of social engineering threat targets a specific individual, the aim of the attack can vary depending on the criminal, they could steal data from the company, upload malware onto the victim's’ computer or even gain access to personal information such as bank details. More often than not victims think nothing of it and will give the criminal access to their data. As spear phishers are only target an individual they can spend their time conducting research on the victim, they will know every little detail of them when trying to gain access to data from them.
Baiting- The Waiting Game
In many ways, this method of social engineering is quite similar to phishing. However, it includes the promise of an item, this item is what hackers use to lure their victims in. Baiters will usually offer free music or a free download of a movie, in return the victim will be asked for their bank details. These types of attacks are not restricted to online scheme attacks, criminals can exploit their victims through the use of physical media. Similar to other types of social engineering, baiting relies on an employees lapse of judgement to create a weaknesses in the company’s network.
Pretexting- A sense of urgency
Pretexting is the act of pretending to be someone else in order to obtain information. The social engineer would give themselves a whole new identity, then they would use this identity to manipulate the victim into giving away their information. A social engineer will sometimes impersonate people from a certain job just to gain the trust of the victim and then manipulate them into giving away their information without a second thought.
Quid Pro Quo- Something for Something
Similar to voicemail phishing, this method promises a benefit in the exchange of information. One of the most common types of quid pro quo involves a criminal impersonating an IT service employee, they will spam call as many direct numbers that belong to the company they are wanting to target. The attacker will offer IT assistance to every victim, once the victim agrees, they will be requested to disable their AV program, this is so the “IT assistant” can install software onto their device, when in fact it’s malware. However, bare in mind social engineers can offer much less sophisticated offers than IT support.
One of the most important aspects of social engineering is trust, if you can build trust you will most certainly fail. If a criminal succeeds in gaining the victims trust they will more than likely be able to manipulate them into giving you any information they require, without the victim thinking anything of it. People never assume they will be a victim of a social engineering attack. This is what makes them so successful.