How to Avoid Social Engineering Attacks?
When we talk about data security, the emphasis is usually on the more technical dangers such as viruses and malicious software.
However, while ensuring that your sensitive data is protected with the latest anti-virus software, there is another weakness that attackers can attempt to exploit - humans.
In this article, we'll focus on protecting your personal or financial information from social engineering attacks.
What is a Social Engineering Attack?
Data breaches and malicious code infections don't happen on their own and more often than not rely on human "help" to trick users into installing malware on their computers.
To make people "lower their guard" and lax in their security awareness, attackers use social engineering tactics to appear as trusted and legitimate parties so that the other side is in turn manipulated into divulging sensitive information such as login credentials or personal information.
11 Most Common Types of Social Engineering Techniques that can Trick Users
There are several social engineering techniques you should be aware of if you want to protect your business:
- Phishing attacks - Phishing is an email attack in which the attacker sends a fraudulent email to the victim. The attacker pretends to be a legitimate source to trick the user into clicking on a malicious link to a phishing website where the user is supposed to leave their sensitive information believing they're on the right site. These phishing websites often look identical to those by legitimate companies. Phishing also includes spear phishing, CEO fraud, smishing, and vishing
- Scareware - If you even saw a pop-up message on your smartphone telling you that "Your Android is infected with 450 viruses!", this is an example of a Shareware social engineering attack. In reality, your phone has no viruses or malware, but clicking on the provided link will only download and install one instead
- Diversion - Diversion or rerouting is another type of social engineering attack in which attackers deceive a courier or delivery company to go to the wrong location in order to intercept their transaction
- Pretexting - In a pretexting the social engineer gains the victim's trust by pretending to need their financial or personal information to "confirm" their identity (in other words, gain access to their sensitive data)
- Rogue security software - In this type of social engineering attack, the bad actor creates a false sense of danger in the user's mind by telling them that they have malware on their device, but that they can "fix" this (for money of course). In truth, there is no malware
- Quid pro quo - Quid pro quo is a social engineering attack in which the attacker promises to do something in exchange for the victim's assistance. Most often this "assistance" includes disclosing sensitive information on the targeted company
- Dumpster diving - This is a good example that threat actors will go to any length to get confidential information, including searching the company's trash for account information and access codes that will allow them to gain access to the organization's network
- Piggybacking - Also known as "tailgating", piggybacking is a type of social engineering attack in which the criminal follows someone with legitimate access into the building. Not knowing if the attacker is supposed to be in the building, the other person might even hold the door for them
- Watering hole - The "watering hole" is a synonym for a gathering place where a target group often comes to, such as social networking sites, forums, or chat rooms. Knowing this, the attacker might first infect these "watering holes"
- Baiting - The "baiting" social engineering attack in which the attacker might leave an infected physical media such as a USB stick lying around for instance on the victim's desk. Thinking that it's something important, the user then inserts the USB into their computer and unknowingly installs a malware
- Honey trap - Here, the social engineer lures the target into an online relationship and slowly gain their trust and get sensitive information from them
How Does Social Engineering Work?
So, how do social engineering attacks work?
Most social engineering attacks require human interaction to work. This means that social engineers first have to know their target, so they spend a lot of time learning their behaviour, finding weak points in information security, gaining trust...
For instance, one way that a social engineer can "get their foot in the door" is through a lower-level targeted employee such as a receptionist or a junior. Once they have access to the building or the system, the attacker can begin to gather sensitive information they're interested such as bank account numbers, SSNs. credit card information, etc.
How to Prevent Social Engineering Attacks?
Social engineering is bar far the most used attack technique and you'll often see other techniques include elements of it. In fact 98% of all other attacks use some element of social engineering.
However, preventing social engineering attacks is not as straightforward as installing a good security software (though this is important as well). You need to understand human psychology as well.
Social engineers rely on human error to succeed. These are often not advanced attacks in terms of technology used, but the time they spend gathering information about their targets and then using this to slowly gain their trust, is often significant.
Here are a few things you can do to prevent social engineering attacks:
- Educate and train employees to recognize social engineering schemes
- Keep your security software (antivirus and anti-malware) up to date to prevent malware infections
- Ensure that your security teams (physical and cyber) are always alert to social engineers
- Make sure that your employees use unique and strong passwords for their online accounts
- Use two-factor authentication (2FA), for example, PINs or tokens via text messages
- Use spam filters to block out suspicious emails
- Make sure that your security or receptionist don't let anyone in without an ID or a company pass
- Slow down. One of the main tactics social engineers use is to use a sense of urgency and fear. That way the target acts before thinking and falls for their scam
- Ask for confirmation. Before doing anything like giving away sensitive information about your company and employees to someone pretending to be your boss who "urgently" needs this information, get in touch with them or someone higher up to confirm this.
- Finally, ask yourself - does this sound realistic? Are you really the last relative of a billionaire who died in a terrible plane crash, leaving all their money for you to inherit?
Social engineering is getting more and more popular among cybercriminals and is the reason for more than 70% of data breaches.
Fortunately, social engineering can be avoided, but this requires constant diligence throughout the entire organization. We hope that this article has helped you learn how to prevent social engineering attacks and protect your sensitive data.
By far, the most commonly deployed social engineering attack is phishing. Last year, 75% of organizations around the world suffered a phishing attack, which includes regular phishing, spear-phishing, vishing, smishing, and whaling/CEO fraud.
The 5 most common social engineering attacks are:
5. Honey trap