Social Engineering, unlike common hacking methods such as brute-forcing, cross-site scripting, or keylogging, instead uses a variety of psychological, informational, and behavioral techniques in order to access an organization’s information by exploiting a company’s weakest link – its employees. It’s also the underlying technique used to implement some of the most common methods of attack such as phishing and ransomware. The method of attack is one of the reasons why it is essential that organizations have programs in place that allow them to continuously monitor their cybersecurity posture.
Verizon’s 2020 Data Breach Investigations Report ranked Social Engineering attacks as the 2nd highest cause of data breaches. These attacks have been rising over the years due to the relative ease of execution and lack of technical knowledge needed.
To learn more about Social Engineering and which industries are most susceptible to Social Engineering attacks, check out the infographic below where we analyzed the Social Engineering scores of over 100,000 organizations.
The five most common Social Engineering attacks
1. Pretexting
The practice of impersonating or fabricating an identity in order to obtain sensitive information from a target. Pretexting works by building a false sense of trust with a target so that they can gain access to company information down the road. Cybercriminals tend to impersonate HR officials so it is very important to always verify the identity of the person you are speaking with before disclosing information.
2. Tailgating
Tailgating is the physical act of a malicious actor following a person with access or credentials into a private location in order to obtain private information. Tailgaters may be dressed like a delivery driver or employee in order to bypass suspicion when entering a building. Another example of tailgating is when someone strikes up a conversation with an employee in order to follow them into their place of work. If this happens to you, be sure to check their credentials to ensure they are allowed to be there.
3. Quid pro quo
Includes offering an incentive such as prizes in exchange for sensitive information. A common example of a quid pro quo attack is when an adversary contacts an employee offering free IT support in exchange for login credentials.
4. Baiting
Includes leaving or gifting (fabricating a scenario such as a contest) a physical device such as a USB flash drive, a digital music player, or other device infected with malware, delivering a malicious payload when the target plugs in the device. Cybercriminals have been known to leave CDs in public areas in hopes that employees find and launch them out of curiosity.
5. Phishing
Website or communications that mimic the appearance of official companies or personnel to steal credentials and sensitive information from an organization’s employees. Phishing attacks are carried out in a variety of ways such as through email, call, or even on a website. Given that identical messages are sent out in most phishing attacks, you can verify their legitimacy by asking co-workers if they received the same message. If the message came from an unknown source and was sent to your entire company, it is likely a phishing campaign.
Signs of a Social Engineering attack
Some common signs of Social Engineering attacks to look out for include:
Uncommon or suspicious URL strings
Check the URL in the web address bar. Sometimes the brand is misspelled, has extra characters after ‘.com’, or has a different country extension (.ru instead of .com). This can be a sign of an illegitimate site.
Strange spelling, grammar, and capitalization
Non-English speaking hackers may be using translation services to create copy designed to steal your credentials. While mistakes can sometimes occur in legitimate websites due to oversight, consistently bad grammar or incorrect spelling combined with a suspicious URL is a dead giveaway of a phishing site.
Strange branding/messaging
Hackers sometimes alter a brand’s copy or messaging in order to obtain the required information from you. Look for subtle changes or odd requests in the site’s copy along with suspicious URLs.
Tips for avoiding Social Engineering attacks
As Social Engineers look to manipulate human behavior, it is important that you stay alert for any suspicious documents or out-of-character emails from company officials. Following these tips can help you ensure that you stay vigilant to Social Engineering attacks.
- Never provide credentials to anyone, online or on the phone: Social Engineers will try to coarse you into disclosing credentials so it is important that you only share personal information with trusted sources.
- Double-check file extensions. If a ‘PDF’ ends in .exe, it’s likely malware: PDF files will always end in .PDF. If a file does not, then there is most likely a malicious payload attached to the file.
- Be vigilant in verifying website authenticity: Check for security indicators such as HTTPS and the Google padlock icon. Additionally, take time to verify a website’s domain is legitimate before entering personal information. This can be done by analyzing the subdomain and top-level domains in a URL for out of place characters. Double-check and verify that emails are coming from the right person: Titles, positions, and even email headers can be fabricated with an out-of-band communication method, such as a direct phone call or in-person communication.
- Implement a ‘least-privileged’ policy: Limiting network access by employee duties can help to bolster network security and combat insider threats. When employees only have access to the parts of the network they need to do their job, you can localize breaches and reduce the impact of an attack.
How SecurityScorecard can help
Organizations must remain alert to Social Engineering attacks at all times in order to maintain secure business operations. A key component of this is having visibility into your internal and third-party network environments. With SecurityScorecard’s Security Ratings organizations can continuously track their cyber health and prevent attacks before they can be carried out. The threat intelligence capabilities of Security Data supply you with up-to-date information on the latest attack vectors so that you are always one step ahead of cybercriminals.
With Atlas, organizations can easily monitor and manage third-party risk across their entire vendor ecosystem. Atlas empowers organizations to send, complete, and auto-validate questionnaires at scale so they can better understand their vendors’ IT risk. With the visibility gained, organizations can actively mitigate Social Engineering risk and improve their vendors’ security posture.
As more businesses begin to operate remotely, being able to defend against Social Engineering threats is a necessity. With SecurityScorecard, you can proactively manage and remediate Social Engineering risk.
