By: Brian DeVault
Social engineering is a method that hackers employ to steal information from individuals and businesses that exploits human nature instead of technology. The average social engineering attack costs $130,000, so it is important to understand the techniques these social engineers employ before you become a victim yourself.
What Exactly is Social Engineering?
The main thing to understand about social engineering strategies is that humans are the most vulnerable part of any security system. Reports have shown that 1/3 of all IT infrastructure incidents in businesses are caused by phishing, hacking, and other social engineering attacks.
Up to 90% of companies that have fallen victim to data breaches on public cloud infrastructures say that it was caused by a social engineering attack. So, why is social engineering so effective at stealing information?
Social engineering (also called social hacking) is a huge and ongoing issue in the world of cybersecurity. By scamming people, using confidence tricks, and stealing personal information obtained from other sources, attackers can get a hold of vital and personal information that can then be exploited in myriad ways. They also tend to manipulate the behavior of other people to get the results they want. The truth is that it is much easier to hack a person than a machine.
For example, why go through the hassle of stealing or trying to figure out passwords when you can just call someone and ask for their login information? By manipulating people with great skill, attackers can bypass the basic security features that you believe to be keeping all your sensitive information safe.
Confidence Tricks
A well known hacker named Kevin Mitnick said that all the information he stole during his attacks was gained solely through social engineering, without ever breaking into any computer systems. In a large business, employees don’t necessarily know all of their co-workers, so receiving a random phone call from “Bill in technical support” doing a “standard maintenance check” could sound very legitimate.
Another common social engineering technique involves asking for help. People love to help one another, and a nice sounding individual on the phone pleading for help with forgotten passwords works way more often than it should. Scammers and hackers can obtain the names, emails and phone numbers of employees of companies using information available to the public and then use that to attack. They can also get information by going through your trash, so it is a great idea to always use a shredder when discarding sensitive information.
Pretexting another method of attack where an attacker prepares beforehand to gain the victim’s trust by luring the victim into a vulnerable situation to gain private information. The major difference between pretexting and other forms of social engineering is that the hacker will create an often elaborate, but false story to try to overwhelm the victim with emotionality to cloud their judgement. For example, a co-worker that you don’t know may call you on the phone claiming that they are locked out of their email and need to access it immediately to get a report done or else they will be fired and their family will suffer as a result. Check out this link to learn more about pretexting so you can be better prepared for such a scenario, What is Pretexting? Definitions, Examples and Prevention.
How to Avoid Social Engineering Attacks
Social hacking is all about exploiting human weaknesses rather than technical vulnerabilities, so education, not technology, is your main weapon. Security awareness training is crucial for all employees in any company or business. No matter your position, everyone should be trained to see the signs of a breach and follow the proper protocol and procedures. Social hackers often combine information gained through social engineering with data from other sources, so ensuring solid cybersecurity processes across the board will make the job of hackers less easy.
Here’s a checklist to help you keep social attackers away:
- Trust no one: Every single person in the organization should be trained to initially suspect every message and access attempt could be illegitimate. This includes training staff to recognize phishing attempts, think or consult before acting on seemingly urgent messages, and strictly follow physical security protocols.
- Check your security posture: Run regular internal and/or external audits to get a picture of your organization’s overall security posture, including cybersecurity, social engineering resilience, and physical security.
- Eliminate vulnerabilities: Keep your systems secure to make it harder for cybercriminals to get useful information from a social engineering attack. If your business uses web applications, use a high quality web application vulnerability scanner to eliminate vulnerabilities that can lead to information exposure. To see a list of web application vulnerability scanning tools, click here: Vulnerability Scanning Tools.
- Keep a low profile: Enforce strong security for user accounts by defining suitable password policies and perhaps also requiring two-factor authentication. Make sure that both personal and business accounts are secured, and avoid revealing internal company information via social media and other public channels.
We hope this was helpful to you and gives you the tools needed for your business to be as safe and secure as possible from social engineering attacks.