Social engineering is an attack mechanism majorly aimed at misleading employees or individuals to hand over relevant information for the attacker's financial gain. Social engineering attacks are launched mostly via email, social media, and over the phone.
Social media is an especially prevalent way for social engineers to obtain a user’s personal information. Divulging a lot of information online is a big issue that can make one fall for the cybercriminals’ scam. For example, when an employee of an organization shares a post online that shows customer information in the background, a proficient hacker could make use of the details to send a well-structured email or make a phone call specific to the user in such a way that he/she believes the email is from a legitimate source. A cybercriminal could also easily impersonate an employee with the information gathered on social media, and once the attacker gains access to the employee's system or password with the use of malware, he/she can snoop around for sensitive data. Some social media networks have made it easy for Social engineers to gather information about a company and the employees that work in it.
Social engineers will use whatever means possible to break into a Company's network to access and steal information. The common attack types used are indicated below:
Phishing and Spear Phishing
Phishing is the biggest and the most common way of social engineering. It is a well-written email sent by social engineers that contains an attachment with malicious code when downloaded or could lead to a malicious site that requires you to key in your login credentials.
Spear Phishing is a form of Phishing targeted at specific people in the organization who hold sensitive information needed by the attacker.
A form of Phishing where the attacker tricks the user over the phone to obtain sensitive information regarding the organization.
Attackers leverage the greed and eagerness of users by offering a malware-infected external storage device in exchange for private information. For example, an attacker might drop a device that contains information relating to staff to be promoted; once the user picks up and plugs the device into a system, the attacker would have access to the user's system.
Attackers impersonate someone in authority or a co-worker to gain sensitive information from the victim. They can pretend to be bankers, tax authorities, etc.
Quid Pro Quo
The attackers call random individuals and claim to be from
IT support and will offer some technical assistance. Once they find users facing technical issues, they help resolve it and, as a result, gain access to the victim's computers.
This is when an unauthorized person gains access to a restricted corporate area using different tactics. The attacker could trick authorized users that are unaware either by using words like, “I forgot my keycard,” or they might borrow an employee’s laptop and install malicious software on it.
The following are some key ways to reduce the risk of information being obtained by social engineers:
Employees should receive proper training on how to identify and understand various tactics used by attackers. This training should guide an employee on how to adopt caution for:
Training should be done quarterly, at a minimum, to keep employees abreast of the latest attack mechanisms. All employees with access to personal identifiable information must be included in this training.
Appropriate Company Policy
At a minimum, the following policies should be in place to minimize the intrusion of cybercriminals:
Research and implement the most viable third-party solution to minimize the risk of exposure of a company's information to cybercriminals. Some solutions are as follows:
At Wilson Consulting Group, we recognize that security is a top priority for businesses and government agencies. We offer staff training on the appropriate use of information assets and access control, and effective solutions that help protect a company's assets from exploitation by Social Engineers.
Wilson Consulting Group is an innovative global cybersecurity consulting firm. We offer Information and Cyber Security Training, Cyber Intelligence, Cyber Security Assessment, Penetration Testing, and Vulnerability Assessment Services to evaluate any threats that your organization may face and provide solutions to combat them.