At its core, social engineering is not a cyber-attack. The aim is to gain the trust of targets, so they lower their guard, and then encourage them into taking unsafe actions such as divulging personal information or clicking on web links or opening attachments that may be malicious.
- How does social engineering work?In a typical social engineering attack a cybercriminal will communicate with the intended victim by saying they are from a trusted organization. In some cases, they will even impersonate a person the victim knows.If the manipulation works, the attacker will encourage the victim to take further action. This could be giving away passwords, date of birth, or bank account details, sensitive information from the device or takes over the device entirely.
- Why is social engineering so dangerous?One of the greatest dangers of social engineering is that the attacks don't have to work against everyone: A single successfully fooled victim can provide enough information to trigger an attack that can affect an entire organization.
- How do I protect myself and my organization against social engineering?Companies can mitigate the risk of social engineering with awareness training. Consistent training tailored for the organization is highly recommended. Training helps teach employees to defend against such attacks and to understand why their role within the security culture is vital to the organization.
- Security policies to help employees:
- Password management: Guidelines such as the number and type of characters that each password must include, how often a password must be changed, do not reveal or share the passwords.
- Multi-factor authentication: Authentication for high-risk network services such as modem pools and VPNs should use multi-factor authentication rather than fixed passwords.
- Email security with anti-phishing defences: Multiple layers of email defences can minimize the threat of phishing and other social-engineering attacks. Some email security tools have anti-phishing measures built in.
- Phishing: Cybercrime attacks such as advanced persistent threats (APTs) and ransomware often start with phishing attempts.
- Watering hole attacks: An attacker will set a trap by compromising a website that is likely to be visited by a particular group of people, rather than targeting that group directly.
- Business email compromise attacks: Business email compromise (BEC) attacks are a form of email fraud where the attacker masquerades as an executive and attempts to trick the recipient into performing their business function. Sometimes they go as far as calling the individual and impersonating the executive.
- Physical social engineering: Certain employees such as help desk staff, receptionists, and frequent travellers are more at risk from. The organization should have effective physical security controls such as visitor logs, escort requirements, and background checks.
- USB baiting: USB baiting sounds a bit unrealistic, but it happens more often than you might think. Essentially what happens is that cybercriminals install malware onto USB sticks and leave them in strategic places, hoping that someone will pick the USB up and plug it into a corporate environment, thereby unwittingly unleashing malicious code into their organization.
Subscribe to our newsletters. Visit Skillmine website to learn more.
