What is Social Engineering?
Social engineering is another technique used by hackers to gain personal data from individuals through unauthorised access. This happens by hackers either contacting you directly and conning you into handing over your details, or through getting you to open a link/attachment that installs malware onto your device. If you have ever received an email asking for personal information or telling you that your account is at risk unless you provide login details, or attempted to open something that caused you see a security flag from your anti-virus software, then you have encountered social engineering.
The Strains of Social Engineering:
There are different techniques of social engineering used by hackers depending on their own personal knowledge and skills. It doesn't tend to be the most challenging form of cybercrime, but it is for this exact reason that is the fast-growing type of crime hackers are committing. The accessibility of the resources mean that the attacks can potentially result in big prizes with limited effort needed to get them.
Working in disguise, baiting is when malware is hidden, and you don't know it's there until you have installed it onto your device. It can be physical, in the form of an infected USB stick lying around that once plugged in exposes the device to malware. Most commonly though, it comes electronically. This comes when you are sent a link that, despite appearing to be harmless, creates an entry point for malware as soon as you click on it, highlighting how fast you can have problems through the most unexpected areas.
Falling victim to phishing is when you are targeted through a fraudulent message by a hacker pretending to be a legitimate source. Their aim is to either get you to hand over personal information directly or providing you with a malicious link to spread malware, in both cases though, phishing is the most personal type of attack.
Hackers are getting better at it too, through using professional marketing techniques, they are able to create an incredibly legitimate looking email, causing recipients to do as it says because they don't question the source at all. It is because of this growing sophistication in the preparation of phishing, that hackers are achieving success 50% of the time. Stressing how too many people are falling victim to hackers through an avoidable case of human error.
Attackers pose as legitimate sources such as well-known high-street names in order to gain the trust of the recipient. This could be sent to a group of people, for example a group of customers that use a certain bank or sent to one specific person that is targeted through a highly tailored message, this is known as spear phishing.
This technique became much more mainstream topic when Barclays produced a number of adverts on the dangers of cybercrime in 2017, one of which was a perfect example of pretexting. This is when someone lies to gain privileged information over the phone. This specific example showed a profession dressed "bank worker" asking for the security PIN of a customer over the phone, by handing this over, the hackers gain access to you accounts and from there they have the power to cause significant financial damage. It doesn't take many pieces of information for criminals to be able to access your accounts and take everything.
Presenting itself as a 'knight in shining armour' is how scareware infects your device with a virus. An example of this could be a pop-up advertised as a 'fix' against a supposed viral threat to your device. By agreeing to this fix, malware is installed. The technique scares you into thinking you're in trouble and causes you to make a panicked decision, and as a result you actively download the virus instead, rather than avoiding it.
Social Engineering Trends
The development of the internet means that as we become more and more dependent on it, the number of vulnerabilities increase too. This has caused a species of hackers to grow in skills and sophistication to keep finding new ways to catch people out.
Not matter the size of the company, hackers will try and make a profit from it. This is displayed by, ironically, the security company, RSA. The attack started with two phishing emails being sent out to a number of employees titled 'Recruitment Plan' and included an excel spreadsheet attachment supposedly containing further information on the plans. What it really contained was a malicious form of malware that was then let lose into the systems, compromising all of the company's network and data. The result was a $66 million (£49m) loss, alongside a dangerous knock to their reputation.
This case points out how quickly a danger can spread through a company due to human error from employees. By failing to educate and train them on the threats of cybercrime, you are creating nothing but a weak line of defence, and consequently leaving your organisation at risk.
Steps to Protect Yourself from Social Engineering
Cyber security training means that the level of understanding within a business is increased and results in a consistent workforce in their attitudes around the topic. At the end of the day, employees are the ones that are on the lookout for suspicious activity, so training in email/social media/password/anti-virus software use can allow them to be prepared in detecting and responding to problems effectively. Social engineering is the human interaction and tailoring that comes with cyber attacks, so dealing with that effectively requires a prepared workforce. At the end of the day, the software can only benefit an organisation when it is in the hands of people with the right skills.
As a support to human training, the use of email gateways add further security by controlling and monitoring what gets in and out of your networks. This can prevent the majority of harmful messages from even getting close to the inbox, and as a result the organisation can remain in a protected bubble, keeping out the hackers to avoid financial and reputational ruin.
Nothing you download can give you 100% protection guarantee but teaming it with strong levels of human competency through training means that the chance of hackers getting in is reduced significantly.