Reports such as the 2022 Verizon’s Data Breach Investigations Report (DBIR) place human beings as a central component in 82% of cyber attacks. Scammers use techniques based on social engineering to trick people into performing actions that benefit a hacker.
Social engineering is an umbrella term covering many tactics used to manipulate employees and other users. Here are six of the most common types of social engineering and how to prevent hackers from exploiting them successfully in your organisation.
Six Of The Most Common Social Engineering Attacks
1. Phishing and Social Engineering
Spear-phishing, a targeted form of phishing, is implicated in 93% of cyber attacks, according to the 2018 DBIR. The less targeted form of phishing is still the second most common form of cyber attack tactic, according to Cisco.
Phishing is the perfect medium to allow hackers to manipulate human beings and so comes under the umbrella of social engineering. Phishing manifests in several forms. Already mentioned are phishing and spear phishing, but hackers will use any means of communication, including text messages and phone calls (SMShing and Vishing), to encourage people to click a link to a malicious website, provide personal information, or download an infected attachment.
2. Social Media for Social Engineering
Social media provides a gold mine of information that cybercriminals can use to attack people, apps, networks, and data: scammers need data to feed cyber attacks, including Business Email Compromise (BEC).
When employees or other individuals share information on social media, fraudsters will be watching. According to a research paper, companies experience the following issues when employees share information on social media:
- sharing too much information
- loss of confidential information
- increased exposure to litigation
The paper concludes that social media provides an open medium for sharing that complicates the challenges of social engineering.
3. Tailgating and Piggybacking
Tailgating is one of the oldest social engineering scams in the book. Tailgating, or piggybacking, is often seen as a physical scam but can be digital too. In the physical world, tailgating is exemplified by the fraudster who slips into a company’s office building unnoticed. Fraudsters know how to look inconspicuous, allowing them to gain access to building without authorisation or to “piggyback” on someone entering a building.
Once inside, they can trick employees into sharing account credentials, such as passwords, or use hacking tools to steal data directly from computers. They may even use the old trick of looking over the shoulders of someone logged into a sensitive area of the network.
Scammers often need data to ensure a successful social engineered scam. As mentioned above, the hacker can gather information to trick a person using social media, phishing, and tailgating. Pretexting uses social engineering to make people believe that the scammer is someone in authority or authorised to be in a particular place: in other words, the fraudster impersonates someone.
For example, they may pretend to be a contractor or C-level executive; this may seem unlikely, but a confident fraudster can make this happen in a large organisation with multiple offices.
People love free stuff, and baiting uses this behaviour to trick employees into handing over information such as sensitive data or financial details. For example, the fraudster will pick an employee or send a mass email offering a free product, such as a movie download. If the employee presses the download button, the result is an infected device.
This is an effective way to instal malware. An example of this in action was the pirated version of Game of Thrones, which became the most malware-infected TV show of all time in 2018; in all, 126,340 users became infected with malware when they downloaded the pirate version of the TV show.
6. Quid Pro Quo
Quid Pro Quo is a Latin phrase (this for that) used to describe an exchange of something for goods or services. Cybercriminals want data, and a Quid Pro Quo is one way to get at that data.
A typical Quid Pro Quo attack would work like this: an employee receives a call from ‘tech support’ who tells them there is a ransomware attack underway and they need to remove the virus before it damages the employee’s work. The hacker must have the employee’s username and password to do so. If the employee falls for this ruse, the hacker will have access to the company network, which they can use to escalate privileges to more sensitive areas.
Three Ways to Protect Your Employees from Social Engineering Attacks
1. Put Processes and Policies in Place
Often, social engineers need to rely on poor processes that allow them to exploit security gaps. For example, in tailgating, the intruder may depend on a lack of checks on people entering a building. Social engineers often rely on trust in authority figures to encourage an employee to act, such as transfer money, as experienced in a BEC scam.
Most social engineering scams need data, so the scammers turn to social media or phishing to pick up the information they need to carry out a cyber attack. Robust processes that add checks and balances whenever an action such as money or data transfer occurs can help prevent a social engineering attack. Policies that ensure that employees do not overshare on social media platforms help to avoid this form of data harvesting.
2. Train Employees in Social Engineering Tactics
Social engineering takes many forms, and the cybercriminals behind social engineering attacks adjust these scams to avoid detection. Therefore, Security Awareness Training packages should include training in social engineering tricks, including the six scams described above.
Training must be done engagingly and use training modules that are interesting, fun, and informative.
The security awareness platform should also offer ways to capture the success rate of a training package to ensure that your organisation can update and adjust the training to create the best results possible. Training employees to recognise social engineering attacks should be performed regularly to capture changes in threat patterns.
3. Use Simulated Phishing Programs
Phishing is a core technique that many social engineering attacks rely on. Spotting the tell-tale signs of a phishing email or other phishing message is a vital first line of defence against social engineering attacks.
Phishing simulation software provides templates that can be tailored to reflect current social engineering tricks. These are then sent out as usual to employees and other business associates. If a user clicks on a malicious link or goes to download an attachment, the simulated phishing platform will intervene with a lesson on what would happen if they continued that action.