And like that, we are halfway through Cybersecurity Awareness Month.
The Wild, Wild Net is occupied by more than just phishing and ransomware threats. It is also home to the social engineer — the master of lies and disguise.
He may seem like your friend, but don’t let his smile fool you.
Social engineering is dangerous for business. It’s one of the fastest-growing cyber threats out there.
On July 15, 2020, Twitter suffered a major social engineering attack that affected over 100 high profile accounts. Those accounts included Joe Biden, Barack Obama, Elon Musk, Bill Gates, and Jeff Bezos. Twitter has suggested this was a social engineering attack that targeted Twitter employees.
If Twitter can’t keep social engineering attacks at bay, how’d you think your small business will fair?
In today’s post, we’re going to take a closer look at social engineering. We’re going to reveal 5 different types of social engineering attacks. Then, teach you how to avoid falling victim to one.
Let’s jump in.
What is Social Engineering
Social Engineering is the art of manipulating people into sharing confidential information. Unlike other cyber threats, social engineering uses human psychology.
Most social engineering attacks rely on actual communication between attackers and victims.
And before attempting an attack, social engineers collect information on their targets. Using that research, they then tailor their communication to that individual.
Unlike other hackers, social engineers don’t need to know code to be successful. Instead, they just need trust.
By gaining the victim’s trust, the attacker can motivate the victim into compromising themselves.
With a good personality, a social engineer can talk themselves into any network, or even office.
Why Social Engineering Works
To say that social engineering only works on stupid and gullible people would be a mistake. Social engineers are cunning individuals. And if they use the right techniques, they can easily take down some of the smartest people in the world.
To be successful, a social engineer needs to do two things.
First, a social engineer needs to gain the victim’s trust, which isn’t too difficult. We, as humans, want to believe that people are good.
You’re an unsuspecting end-user. And today, you receive a phone call from someone claiming to be from your company’s IT department. The caller happens to be a social engineer, but you don’t know any better. That’s because the caller seems legitimate.
You probably won’t think twice about giving that person your information. That’s because the social engineer did their homework. They were able to say the right things to get you to trust them.
And that’s how social engineering works.
Secondly, for a social engineer to be successful, they need to create the right situation. Typically, a social engineering attack seems like nothing out of the ordinary. It doesn’t raise any red flags.
Going back to our previous example, a social engineer might start by asking who called about a computer problem. There’s a high chance that someone in your office recently put in an IT ticket.
IT tickets are normal. And so, the social engineer gets transferred to an unknown victim. From there, the social engineer can start asking for information, like passwords. And that victim will most likely give the password to them because they think they’re talking to their IT department.
This example is, of course, oversimplifying social engineering. But you get the gist that these attacks are really hard to pin down.
Social Engineering and Small Business
Small businesses are often surprised to hear that they are one of the social engineer’s favorite victims. Many SMBs think they’re too small to attract cybercriminals. And that’s precisely the point.
Hackers love to go after SMBs because small companies often have fewer security resources available. And the constraints on SMBs’ security resources aren’t limited to finances. Most small businesses lack the manpower to tackle security challenges.
Most SMBs rely on managed IT providers to protect their data. But this strategy doesn’t always work well. Often these providers are IT generalists with limited security training.
As a result, SMBs often lack the protection to prevent a social engineering attack.
But that changes today.
If we take the time to learn more about these cybercriminals in the Wild, Wild Net, the better off everyone will be. So, let’s get into it.
Types of Social Engineering
This type should be no surprise to you. Phishing is the most common social engineering technique. It is a hacking technique where a cybercriminal attempts to steal information by acting like a trusting source.
In most cases, phishing appears as an email. And unfortunately, phishing emails are more sophisticated today than ever before. They now look like sites and brands you use every day, like Amazon, PayPal, and UPS.
For more examples of phishing, please check out our first blog of the Wild, Wild Net series. This blog covers everything you need to know about phishing attacks.
Spear phishing is like phishing, but way more complex. Spear phishing is a hyper-targeted attack. In contrast, phishing is more general and emailed to hundreds (to thousands) of people.
And because of its tailoring, spear phishing has a higher success rate than a generic phishing attack.
Typically, a spear phisher will research the target beforehand. They’ll find the information online, often through social media.
From there, the attacker will customize their communication to the victim. They may talk about a family member or a recent business trip to gain their victim’s trust. By saying the “right things”, the victim doesn’t question the sender.
With vishing, the social engineer uses phone calls to trick recipients. Remember the IT support desk example at the top? That is a prime example of vishing.
Pretexting is a social engineering tactic where the attackers fabricate a story. They use this story to build a personal connection with the target. And once they gain the target’s trust, the social engineer will steal their personal information or money.
Pretexting often preys on the elderly, who might not be tech-savvy enough to spot a potential scam.
Our final type is one that is quite scary. Tailgating is when a social engineer gains entry into a secure building through someone else’s access.
How often do you hold the door for someone behind you? Now, what if that door is an office building door? And you let them in without them scanning a badge? That’s tailgating.
And a social engineer knows that most people will hold the door for someone close behind. And once they are inside, the social engineer can unleash a lot of damage. For example, they could go to an empty desk and start installing malware.
How to Prevent Social Engineering
When it comes to social engineering attacks there is one common thread – people. So, the best way to reduce the success rate of these attacks is through education. The more awareness we have, the better off we’ll be.
Here are some simple tips on how to prevent falling victim to a social engineering attack:
1. Security Awareness Training
If you’re in a leadership position, you NEED to get everyone enrolled in regular security awareness training.
More often than not, a healthy cybersecurity posture is based on human behavior. And because social engineering is all about manipulating behavior, you must stay vigilant.
To stay safe, your entire workforce needs to understand and recognize the various tricks social engineers use.
2. Be suspicious
Be suspicious of unsolicited phone calls, visits, or email messages from individuals. If the unknown individual claims to be from a legitimate organization, try to verify their identity. You can do this by looking them up on LinkedIn or through the company’s directory.
3. Verify before you click
Never click on embedded links in emails from unknown senders. If necessary, use the search engine to search for a suggested website. Or you can manually enter the website URL.
Likewise, never download an email attachment from unknown senders. Instead, you should verify who that unknown sender is.
4. Check a Website’s Security
Don’t send sensitive information over the Internet before checking a website’s security. Pay attention to the Uniform Resource Locator (URL) of a website. Look for URLs that begin with “https” a sign that sites are secure—rather than “http.”
And a padlock icon in the URL bar is a sign that your information will be encrypted. That’s a good thing.
5. Lock your computer
Leaving a computer running unattended is a bad habit. We recommend that you lock it when you leave your desk for a meeting or lunch.
Unlike logging out, a locked computer doesn’t shut down everything.
Once locked, no one can access it unless they have the computer’s login information. But, at the end of the day, you must log completely off your computer.
Social engineers are not a friend of small business. To survive the Wild, Wild Net, every employee needs cybersecurity awareness training.
Proper training should teach employees about phishing emails, passwords, and security policies.
If you’re unsure about how to educate your employees, you can look to us for guidance. Our managed security service team, NetGarde, can help train your employees in security best practices.
Our training programs include educational easily digestible content and video modules. On top of that, we also offer phishing simulation programs. Our simulated phishing attacks will help your employees be able to spot a real one in the Wild, Wild Net.
To learn more, don’t hesitate to give us a call. You can reach us at 410-751-7111. Or by emailing us at firstname.lastname@example.org.