In the context of information security, social engineering is the art of manipulating people, so they share confidential information. Social engineering attacks are often successful because the victims do not recognize them as a security threat.
Social engineers are just like other types of attackers in that they use whatever method is most effective for achieving their goal. For example, some attackers might use computer hacking to gain access to a building, installing key-logging software on company computers. Another method might be to encourage staff to install malware by clicking on a web link in an email. Anyone can carry out social engineering attacks, including cybercriminals, skilled hackers, or penetration testers.
Examples of Social Engineering Attacks
Tailgating and Piggybacking
Some social engineering attacks may involve gaining entry to buildings at night when no one is around or during office hours by tricking staff into thinking they are customers or suppliers (using fake credentials). The purpose might be to install a key-logging device on the company computers or steal passwords.
Phishing
Another method of social engineering is called phishing, where attackers send emails or text messages that appear to come from legitimate sources (such as financial institutions), asking for personal details such as bank account numbers and online credentials. For example, an attacker might pretend to be from the bank to get customers to share their online banking username and password.
Vishing and Smishing
Yet another method of social engineering is called fishing) (voice phishing or smashing (SMS phishing) where attackers call people on the telephone or send them text messages. The purpose might be to get customers to hand over their credit card details or confirm their bank account number.
Pretexting
Pretexting is a social engineering attack where criminals make up a plausible reason to ask someone for information. For example, an attacker might pretend to be from the IT department asking staff for their password because it has been compromised. Another example is posing as law enforcement, saying there’s been fraud on the account, and asking for bank details.
Baiting
Another way to steal data is by baiting, where attackers leave USB sticks containing malware lying around. If staff members pick up and insert the USB stick into a computer, their device will become infected and start passing on information.
Scareware
Yet another type of social engineering attack is called scareware, where cybercriminals phone people and say there’s a problem with their computer and offer to fix it for them. For example, they might pretend to be from the IT department or say they’re calling on behalf of Microsoft. If they manage to convince the person on the other end of the phone to download malware, this will compromise their computer.
How to Protect Against Social Engineering
To protect against social engineering attacks, individuals must be able to recognize these attacks and follow security procedures appropriately. A good way for companies to reduce risk is by implementing a training program so staff knows how they should react if such an attack takes place. Security awareness training is also recommended so that staff can recognize suspicious emails, phone calls, and text messages.
Of course, the best way to protect against social engineering attacks is for companies to hire penetration testers or ethical hackers who assess their security posture by trying to break into systems and devices at will.
Final Thoughts
Social Engineering is the art of manipulating people, so they share confidential information. Social engineering attacks can come in many forms, such as phishing, pretexting, baiting, and scareware. To protect against social engineering attacks staff must be able to recognize these attacks and follow security procedures appropriately. The best way for companies to reduce risk is by implementing a training program so staff knows how they should react if such an attack occurs.