Social
engineering is an attack mechanism majorly aimed at misleading employees or
individuals to hand over relevant information for the attacker's financial
gain. Social engineering attacks are launched mostly via email, social media,
and over the phone.
Social media is an especially prevalent way for social engineers to obtain a users personal information. Divulging a lot of information online is a big issue that can make one fall for the cybercriminals scam. For example, when an employee of an organization shares a post online that shows customer information in the background, a proficient hacker could make use of the details to send a well-structured email or make a phone call specific to the user in such a way that he/she believes the email is from a legitimate source. A cybercriminal could also easily impersonate an employee with the information gathered on social media, and once the attacker gains access to the employee's system or password with the use of malware, he/she can snoop around for sensitive data. Some social media networks have made it easy for Social engineers to gather information about a company and the employees that work in it.
Social engineers will use whatever means
possible to break into a Company's network to access and steal information. The
common attack types used are indicated below:
Common Attack Types Used by Social Engineers
Phishing and Spear Phishing
Phishing is the biggest and the most common
way of social engineering. It is a well-written email sent by social engineers
that contains an attachment with malicious code when downloaded or could lead
to a malicious site that requires you to key in your login credentials.
Spear Phishing is a form of Phishing
targeted at specific people in the organization who hold sensitive information
needed by the attacker.
Vishing
A form of Phishing where the attacker
tricks the user over the phone to obtain sensitive information regarding the
organization.
Baiting
Attackers leverage the greed and eagerness
of users by offering a malware-infected external storage device in exchange for
private information. For example, an attacker might drop a device that contains
information relating to staff to be promoted; once the user picks up and plugs
the device into a system, the attacker would have access to the user's system.
Pretexting
Attackers impersonate someone in authority
or a co-worker to gain sensitive information from the victim. They can pretend
to be bankers, tax authorities, etc.
Quid Pro Quo
The attackers call random individuals and
claim to be from
IT support and will offer some technical
assistance. Once they find users facing technical issues, they help resolve it
and, as a result, gain access to the victim's computers.
Tailgating/Piggybacking
This is when an unauthorized person gains
access to a restricted corporate area using different tactics. The attacker
could trick authorized users that are unaware either by using words like, I
forgot my keycard, or they might borrow an employees laptop and install
malicious software on it.
How to Minimize the Risks of Social Engineering?
The following are some key ways to reduce
the risk of information being obtained by social engineers:
Effective Training
Employees should receive proper training on
how to identify and understand various tactics used by attackers. This training
should guide an employee on how to adopt caution for:
- Emails with lots of grammar and spelling errors, incorrect URLs and misleading URLs that show a different URL when hovered on.
- Emails and phone calls from unknown sources.
- Physical access to one?s computer by a third party.
- Divulging personal information on unsecured websites, unknown email and over the phone.
Training should be done quarterly, at a
minimum, to keep employees abreast of the latest attack mechanisms. All
employees with access to personal identifiable information must be included in
this training.
Appropriate Company Policy
At a minimum, the following policies should
be in place to minimize the intrusion of cybercriminals:
- A Security Policy that provides guidance to employees on the appropriate use of social media.
- Acceptable Use Policy
- Password Management Policy
- Encryption Policy
- Backup Policy
- Access Control Policy
Third-Party Solutions
Research and implement the most viable third-party
solution to minimize the risk of exposure of a company's information to
cybercriminals. Some solutions are as follows:
- Secure Email Gateways that block malicious emails before they reach a mail server.
- A Managed Service Provider that will manage and monitor the Company's Network continuously.
- Insider Management Solution that would discover user activities in real-time and investigate incidents when they occur.
- Endpoint solution that also thwarts ransomware and spyware attacks.
At Wilson Consulting Group, we recognize that security is a top priority for businesses and government agencies. We offer staff training on the appropriate use of information assets and access control, and effective solutions that help protect a company's assets from exploitation by Social Engineers.
Wilson Consulting Group is an innovative global cybersecurity consulting firm. We offer Information and Cyber Security Training, Cyber Intelligence, Cyber Security Assessment, Penetration Testing, and Vulnerability Assessment Services to evaluate any threats that your organization may face and provide solutions to combat them.
