Social engineering was and still remains a dangerous threat to companies. But what is it that makes these social engineering attacks so successful?
Social engineering has proven to be a very successful way for a cyber criminal to get inside an organisation. All it takes is one careless employee to give away their credentials before the criminal has instant access to all of the company's sensitive data.
Social Engineering techniques
Social engineering attacks come in many forms and can be performed anywhere where human interaction is involved.
Baiting attacks involve offering their targets something they want. For example, attackers would research specific employees that visit niche websites and then host malware that specifically targets these employees.
Phishing is a scam that is in the form of an email. The cyber criminal will curate an email with the aim of obtaining personal information, such as bank account details and addresses. The email will contain malicious links or attachments that redirect the target to a fake website that looks legitimate.
Pretexting is a type of social engineering attack that focuses on creating a good pretext. These type of attacks commonly take the form of a scammer who pretends they need specific information from the target, in order to confirm their identity, therefore gaining the targets personal data.
Tailgating, also known as “piggybacking”, is an attack that involves someone who lacks the proper authentication, following an employee into a restricted area. For example, they might impersonate a delivery driver and wait outside a company's door.
This is another type of phishing, however, the scam takes place over the phone. A scammer will call the target up on the phone pretending to be from their bank or even from a government agency. They will fish for information, with the aim of retrieving your personal information to steal money or even data.
The Employee psychological traits that social engineering utilises
It's our own human nature that makes us vulnerable. The three common psychological traits that help social engineers succeed are:
Our desire to be helpful to everyone
Our fear of getting in trouble
Our tendency to trust people, even people we don’t know.
With these traits in mind it may seem like its very easy to prevent social engineering, but the problem is you have clue who is sat behind the computer screen.
The types of social engineering
Now we have discussed the techniques of social engineering, its now time to explain the types of social engineering criminals use. Social engineering falls into two main categories: human based and web based.
Social engineering based on human interaction relies on human vulnerabilities to gain access to sensitive data of the individual or the company they work for.
Where as social engineering based on web interaction is Phishing or Whaling. This type of social engineering focuses on the targets movements online, rather than in person.
How is your company at risk?
So, we know that social engineering is a major threat to business. But what is your business doing that is making you the ideal target?
Lack of security knowledge
When your employees know little about the range of cyber security threats out there, they are more at risk. Cyber criminals can easily manipulate your end users into giving away sensitive information and data. As well as being more prone to cyber threats, there is a major lack of knowledge when it comes to preventing cyber attacks by implementing password security and spam filters.
Oversharing on social media
Even though social media has its benefits, it's also a great opportunity for cyber criminals to learn more about their targets. Employees are using social platforms as their online diaries, broadcasting every detail of their personal life.
Social media is practically gold for cyber criminals, it helps them to personalise their attacks and increase their chances of success.
Our curiosity always gets the better of us. Sometimes it can be through the means of a phishing email that is offering money or a simple advert that appears when you go to a website.
The problem is social engineering attacks can be conducted in many different ways, which makes it more difficult for employees to spot them, especially if they are not educated on the topic.
What can you do to control employee social engineering attacks?
Simple methods such as multi-factor authentication can keep accounts secure. The primary benefit of multi-factor authentication is that it provides an additional layer of security. The more security layers in the place the less chance a malicious outsider can gain access.
Cyber security policy
Employees at every level of the business should have a set of clear guidelines in place that specifies how to prevent cyber attacks and what to do if they come across one. The policy should also include security best practices and other forms of security efforts. Here are the 7 things you must include in your cyber security policy.
Regular phishing simulations
Phishing is the most successful and common type of cyber crime. It has been around for a very long time and still fools people everyday. Conducting regular phishing simulations in the workplace educates employees without the risk of losing valuable data. It allows you to see if there are any trends, and which employees are falling for the phishing attacks. There are plenty of free phishing simulation tools out there to use, its a matter of finding the right one for your business.
Security Awareness Training
As well as implementing security best practices and running regular phishing simulations, it's also important to have security awareness training in place. The training should be regular, engaging and actually worthwhile for your end users. Security awareness training has been proven to reduce errors, make sure employees are compliant and keep data secure.
Knowing where to start with your security awareness training can be difficult. So, here is the complete guide to end-user security awareness training.