Posted on Jan 1, 2020
Social Engineering, unlike common hacking methods such as brute-forcing, cross-site scripting, or keylogging, instead uses a variety of psychological, informational, and behavioral techniques in order to access an organization’s information by exploiting a company’s weakest link - its employees. It’s also the underlying technique used to implement some of the most common methods of attack such as phishing and ransomware. The method of attack is one of the reasons why it is essential that organizations have programs in place that allow them to continuously monitor their cybersecurity posture.
Verizon’s 2020 Data Breach Investigations Report ranked Social Engineering attacks as the 2nd highest cause of data breaches. These attacks have been rising over the years due to the relative ease of execution and lack of technical knowledge needed.
To learn more about Social Engineering and which industries are most susceptible to Social Engineering attacks, check out the infographic below where we analyzed the Social Engineering scores of over 100,000 organizations.
The practice of impersonating or fabricating an identity in order to obtain sensitive information from a target. Pretexting works by building a false sense of trust with a target so that they can gain access to company information down the road. Cybercriminals tend to impersonate HR officials so it is very important to always verify the identity of the person you are speaking with before disclosing information.
Tailgating is the physical act of a malicious actor following a person with access or credentials into a private location in order to obtain private information. Tailgaters may be dressed like a delivery driver or employee in order to bypass suspicion when entering a building. Another example of tailgating is when someone strikes up a conversation with an employee in order to follow them into their place of work. If this happens to you, be sure to check their credentials to ensure they are allowed to be there.
Includes offering an incentive such as prizes in exchange for sensitive information. A common example of a quid pro quo attack is when an adversary contacts an employee offering free IT support in exchange for login credentials.
Includes leaving or gifting (fabricating a scenario such as a contest) a physical device such as a USB flash drive, a digital music player, or other device infected with malware, delivering a malicious payload when the target plugs in the device. Cybercriminals have been known to leave CDs in public areas in hopes that employees find and launch them out of curiosity.
Website or communications that mimic the appearance of official companies or personnel to steal credentials and sensitive information from an organization’s employees. Phishing attacks are carried out in a variety of ways such as through email, call, or even on a website. Given that identical messages are sent out in most phishing attacks, you can verify their legitimacy by asking co-workers if they received the same message. If the message came from an unknown source and was sent to your entire company, it is likely a phishing campaign.
Some common signs of Social Engineering attacks to look out for include:
Check the URL in the web address bar. Sometimes the brand is misspelled, has extra characters after ‘.com’, or has a different country extension (.ru instead of .com). This can be a sign of an illegitimate site.
Non-English speaking hackers may be using translation services to create copy designed to steal your credentials. While mistakes can sometimes occur in legitimate websites due to oversight, consistently bad grammar or incorrect spelling combined with a suspicious URL is a dead giveaway of a phishing site.
Hackers sometimes alter a brand’s copy or messaging in order to obtain the required information from you. Look for subtle changes or odd requests in the site’s copy along with suspicious URLs.
As Social Engineers look to manipulate human behavior, it is important that you stay alert for any suspicious documents or out-of-character emails from company officials. Following these tips can help you ensure that you stay vigilant to Social Engineering attacks.
Organizations must remain alert to Social Engineering attacks at all times in order to maintain secure business operations. A key component of this is having visibility into your internal and third-party network environments. With SecurityScorecard’s Security Ratings organizations can continuously track their cyber health and prevent attacks before they can be carried out. The threat intelligence capabilities of Security Data supply you with up-to-date information on the latest attack vectors so that you are always one step ahead of cybercriminals.
With Atlas, organizations can easily monitor and manage third-party risk across their entire vendor ecosystem. Atlas empowers organizations to send, complete, and auto-validate questionnaires at scale so they can better understand their vendors’ IT risk. With the visibility gained, organizations can actively mitigate Social Engineering risk and improve their vendors’ security posture.
As more businesses begin to operate remotely, being able to defend against Social Engineering threats is a necessity. With SecurityScorecard, you can proactively manage and remediate Social Engineering risk.
Check out our list of 3 top third party risk management (TPRM) challenges, and the actions you can take to bolster your program. Learn more.
Performing cybersecurity risk assessments is a key part of any organization’s information security management program. Read our guide.
Templates and vendor evaluations are needed to level that playing field, in a time efficient and fair way, so that the best vendors are chosen.
Co-founder and CEO, Alex Yampolskiy, speaks about the importance of measuring and acting on key indicators of cybersecurity risk.
You’ve invested in cybersecurity, but are you tracking your efforts? Check out our list of 9 cybersecurity KPIs you should track. Read more.
No waiting, 100% Free
Get your free scorecard and learn how you stack up across 10 risk categories. Answer a few simple questions and we'll instantly send your score to your business email.