Social engineering attacks: what they are and how to prevent them
Social engineering is one of the most widespread forms of cybersecurity attack. Rather than relying on flaws in software, it relies on something that’s harder to patch: our own vulnerabilities as people. By using a variety of approaches, attackers can trick or manipulate people into granting them access to their computer or files, and obtain private or valuable information.
Protecting against social engineering attacks is harder than most forms of cyberattack, as it requires a change of mindset and behaviour rather than software. The best way to combat these attacks is to learn more about them: what a social engineering attack looks like, what the goal of such an attack is, and the steps you can take to minimise the risk of falling victim to one.
What is a social engineering attack?
Social engineering is the use of deception by an attacker to dupe an innocent victim. While the means of the attack might vary, the goal is usually to obtain private information, login access, or valuables.
The attacker may dupe the victim into:
- Installing malware
- Paying money
- Giving up confidential information or credentials
- Providing access to systems or premises.
The most common social engineering scams involve the social engineer pretending to be a legitimate person in need of some type of assistance.
The attacker could impersonate:
- A plumber or repairman. The criminal could dress in a work uniform, and attempt to gain permission to a workplace by pretending to have been called there on a job.
- Your CEO or another member of management. The social engineer could send you an email or text message that claims to be from someone with authority, and ask you to hand over information or make a payment.
- A member of IT support staff. An attacker could call into your office and claim to be from your IT support team. They could then ask you for your passwords or for other confidential information.
- Any colleague. A classic social engineering tactic involves simply hanging out in communal areas and getting involved in confidential conversations or following staff members through locked doors into secure areas.
You may be aware of social engineering in other forms, such as telephone scams. Perhaps the biggest difference with online social engineering attacks is the way attackers can fake legitimacy, and hide their true intentions. Emails can very often look legitimate, with no obvious signs of malicious intent. If you are already used to receiving emails from your banks, service providers etc, you may just see a logo and subject line and implicitly trust it, missing the small clues that could otherwise tip you off.
What methods do social engineering attackers use?
A common strategy of social engineering attackers is to use key pieces of information to make their claims of authority seem more legitimate, and their social engineering attempts more likely to succeed. This methodology is called pretexting, and involves an attacker drops a piece of information during the scam in the hope of making the victim trust them.
This information could be:
- Names of company staff. Names of employees are easily found on the company website or through social networking sites. An attacker could easily say something like: ‘Dave from finance was supposed to send me some data, but he’s now on holiday and must have forgotten…’
- Names of partners or clients. An attacker could follow company social media for updates about new clients and partners. They could then call in, and say something like: ‘I’m from your new IT support company XXX. Could you help me find the Wi-Fi router password?’
- From other cybersecurity breaches. Attackers could gain personal information that has been gained by hacking websites you have accounts on, including your email address and various personal details. They could then use this information to contact you and ply you for more.
- Any other information. If the attacker finds out what brand the fridge in the office kitchen is, they could come in and pretend to be a repairman; or if they found out the name of the office dog, they could call in pretending to be a veterinarian.
How to avoid social engineering attacks
Avoiding social engineering attacks means having a healthy scepticism of anyone who claims to be something they can’t immediately prove. When anyone asks for any kind of personal information, even if you think they are legitimately entitled to it, consider the following:
- Whenever a new person from your clients’ or partners’ organisations contact you for the first time, always verify their identity first, or check with someone who has worked with them before.
- If a plumber, repairman, IT support team member or anyone else requests to be let inside the company’s premises, always ask to see their ID first. If they are who they say they are, they will always be carrying ID with them.
- Never share or give your passwords to anyone. A legitimate member of IT staff would never ask for your password.
- Never plug devices into to your computer unless you are completely certain of their owner and their contents.
- Contest people attempting to tailgate, or people walking in the premises without an ID.
- If you’re not certain of who you are speaking to over the phone or over email, call back the person or organisation who you believe you should be speaking to directly.
Sota has been providing cyber-attack solutions for 30 years, protecting individuals and businesses from all manner of cybersecurity threats. To find out more about how to avoid being the victim of a social engineering attack, and to improve your general cybersecurity, get in touch with us today.