With rise of digital communication risk of social engineering attacks for an organization is increasing but for cyber crooks it is decreasing.
Social Engineering is the art of gaining access to organizations network, system, or data by exploiting human psychology. Cyber criminals instead of using hacking techniques to access information, use social engineering technique to trick users into revealing confidential information.
A social engineer might call an employee pretending to be an IT support person, and trick him to divulge his password and other confidential information.
If you think you’ve got all the bells and whistles when it comes to security, then you are mistaken. A crafty social engineer can easily weasel his way around, as each passing day hackers are devising clever methods to fool employees and individuals into giving away valuable company information.
Social engineering involves human element; therefore, no organization is secure. Humans are the weakest link to security. And for an organization dealing with employees to prevent can be tricky.
In this article we will explain important things about social engineering like, techniques adopted by hackers to perform social engineering attacks, types of social engineering attacks and more.
October being the National Cyber Security Awareness Month, and we being a company dealing with security tools like Advanced System Protector for Windows, Systweak Anti-Malware for Mac, Systweak Anti-Malware for Android is taking an initiative to educate companies, employees, end users on how to identify social engineering efforts and prevent these attacks from succeeding.
Not only this we will also make you aware about famous social engineering attacks, how to prevent form social engineering attacks and types of social engineering attacks.
To get an answer read further.
What is Social Engineering?
Art of taking advantage of human behavior to pull off a fraud is Social Engineering. Contrary to the widespread belief hacking is related to finding loopholes in software or operating system. Let me tell, cyber crooks looking for and finding vulnerabilities in human behavior and habits is also a type of hacking, as it can cause much damage to organization’s security than anything else.
The most common example of all is Greeks using Trojan Horse to get inside the walls of Troy. Modern days cyber criminals aka social engineers are on the same path, they use human errors to bypass technological security measures.
How are Companies at risk?
End User is the biggest security threat for any organization and social engineers are aware about it. Therefore, they do extensive research about the organization, its employees, how they run, and much more using social networking sites like Facebook, LinkedIn, and others.
Social engineers know people are not cautious while sharing information on social site, this helps them to collect as much as they can to craft a phishing mail, make a phone call pretending to be superior, law enforcement agency or colleague to get their hands on to the password and other sensitive information.
How Social Engineering Works?
Social engineering one of the most common means of cyber-attack, is becoming popular as crooks target the weakest link in security chain.
Users are usually targeted in two ways: over the phone or online.
By Phone: Cyber-criminals pose as an employee, senior management, or law enforcement official to gain trust and they even ask certain questions for this. Once the victim falls for the trick they ask for login credentials or passwords that goes unnoticed as the person on the other end believes in the caller.
Phishing: The most popular and common fraud technique used by cyber attackers. In this method, users share the information as they believe they are on a safe and trusted site. Another way of social engineering takes place online is via malicious attachments.
Now that we know what social engineering is, how social engineers trick users into revealing sensitive information, it’s time to know type of social engineering attacks.
Types of Social Engineering Attacks
Organizations need to educate their employees to make them aware about common types of social engineering attacks that include, spear phishing, quid pro quo, baiting, phishing, pretexting, and tailgating.
Surely, companies can adopt methods like firewall, email filters, and network monitoring tool to handle social engineering attacks. But this won’t reduce the risk of human error therefore, to reduce the incidence of social engineering attacks employees need to know common type of social engineering and ways to handle them.
Here is a breakdown of common social engineering methods adopted by cyber criminals:
1. Spear phishing – a type of phishing attack that focuses mostly on a specific organization or individual. To make spear phishing attack successful and look legitimate attackers use information collected from victim’s social media accounts or other online activities.
2. Quid pro quo – When attackers request confidential information in exchange of something needed by someone quid pro quo attack occurs. For instance, if a victim is asked to login into an account or share personal information to get a gift this can be a quid pro-quo attack. Never forget, if anything sounds too good to be true, there is something that is not right.
3. Baiting – When individuals use an infected USB flash drive or CD kept by attacker baiting attack takes place. This means attackers keep an infected device at a place where it can easily be seen, and someone will pick and use it. As soon as such a device is attached to the device attacker can take control of the device as malware gets installed on the machine.
4. Phishing – When individuals fall for tricks that make them install a malware, share personal, financial, or corporate information phishing attack takes place. It is the most common and popular mode of performing social engineering attack. To make phishing attack a success fraudster send fake communication to the victim disguised as legitimate or claiming to be from a trusted source. Usually attackers take advantage of a natural calamity and send out mails as charity pleas after such tragedies, exploiting people’s goodwill and urging them to donate to a cause by recording personal or payment information.
5. Pretexting – When attacker creates fake situations to force victim into giving access to confidential information or protected systems. For instance, scammer pretending to be a part of organization trusted entity tricking him to divulge login credentials or granting information to secret data.
6. Tailgating – It is physical social engineering technique that take place when unauthorized person follows individuals into a secure location. The aim is to gain access and steal valuable information.
Social engineering is an ongoing and serious threat for organizations and employees those who fall for the cons. Therefore, the first step to stay secure to educate employees and make them aware about sophisticated social engineering methods adopted by social engineers; thereby, gaining access to confidential data.
How to Educate end user to fall victim/prevent Social Engineering Attacks?
The first step to stay secure is to create awareness between employees and make them familiar with tactics used by social engineers to steal data. Apart from this, following points are worth keeping a note of:
1. To create security awareness train employees repeatedly.
2. Guarantee to run a comprehensive security training program to keep employees updated and aware about latest phishing threats and how they take place.
3. Give training to both senior and low-level executives.
4. Ensure that no one shares any confidential data over phone or on email.
5. Review existing process from time to time.
6. An email for CEO or any official asking for financial information or business secret should raise a red flag and they should fall for such tricks.
7. Run mock test to see if employees understand enough about phishing and social engineering attacks.
8. Avoid sharing login credentials, passwords with anyone. If a legitimate person needs to access any information they will be able to do so without asking you to share information.
9. Make sure the URL is genuine and correct before you key in any details like username, passwords, or account details.
10. If you receive attachments from unknown sender never open or download them.
Still if you think, social engineering attacks are easy to detect and can easily be handle. Here we enlist popular social engineering attacks that may be an eye opener for you.
Popular Social Engineering Attacks
2016: Democratic National Convention Emails: attackers crafted spear phishing emails that appeared to be legitimate resulting in theft of 150,000 emails from twelve staffers of the Clinton campaign.
2016: United States Department of Justice: tricked by a hacker as he posed as a new employee who needed some help, resulting in giving him the access code that lead to data leak of 20,000 FBI and 9,000 DHS employees.
2015: Ubiquiti Networks BEC Attack: costed the company a loss of approximately $46.7 million dollars. It was a special type of spear phishing email attack in which attacker pretenses as a high official targeting employee with power to perform certain functions, like transferring money or accessing HR records. The email sent out asked the employee to make a wire transfer to certain account that was said to be partner account but in reality, it was under hacker control meaning organization has to bear financial losses because of the innocent employee failing for the trick.
2014: Sony Pictures Hack
2014: Yahoo Hack: 2014 Yahoo hack was significant, endangering up to 500 million users. The spearphishing attack targeting “semi-privileged” Yahoo employees.
2013: Associated Press Twitter
2013: Bit9 Certificate Theft
2013: Target Point of Sale
2013: United States Department of Labor Watering Hole
2011: RSA SecurID
This read may be an element for some as they are reading about poor security decisions but the trust it no one is secure from social engineering attacks, and the savviest person fall victim to such attacks. Therefore, it is important to take online security seriously and keep a skeptic eye on every online request.