What Is Social Engineering? Tactics, Impact & 6 Tips To Avoid It
We’ve all been there.
You receive an unexpected email from a friend asking if you recognize a person in a photo that’s attached. Maybe it’s a call from the company’s chief financial officer asking you to wire a large sum of money immediately. Or a delivery person tries to follow you into your secure office building.
These could all be legitimate scenarios. They could also be examples of social engineering.
What is social engineering? How can you recognize social engineering attacks? What impact could such an attack have on your business?
In this article, I’ll provide a comprehensive overview of social engineering. After reading this article, you’ll understand the tactics to watch for, the potential impact, and concrete steps you can take to keep your users and your data secure.
At Kelser, we believe in providing the information business and IT leaders like you need to keep their organizations and IT infrastructure safe, efficient, and available.
Whether you have your own IT staff or work with an outside IT service provider, we provide easy-to-understand articles that include all of the information you need to confidently assess and manage your IT needs.
What Is Social Engineering?
Social engineering attacks are designed to manipulate people into giving out confidential business or personal information or infecting their devices or infrastructure with malware. As in the examples cited above, social engineering attacks can occur via email, instant message, text message, or in person.
What Does A Social Engineering Attack Look Like?
Social engineering attacks can take many forms and, they are on the rise because they work.
Some common social engineering tactics to watch for include:
Phishing is one of the most common social engineering tactics.
At first glance, most phishing attacks look like they come from a person or entity the user knows and trusts. For example, the message could look like it comes from a personal friend, business associate, family member, bank, store, or government agency.
They are typically delivered via email, instant message, or text, and contain a sense of urgency designed to lure users into quickly providing otherwise secured sensitive information such as login information, social security numbers, banking information, or sensitive credit card data.
In baiting attacks, a perpetrator provides a temptation (the bait) that piques the user’s curiosity or appeals to their desire for money or power.
These attacks typically involve providing a free service or product (such as software designed to clear your device of unwanted spam emails) or giving you access to privileged information (like the salaries of your colleagues).
While typically delivered via email in the form of a link, they can also occur in the form of a mysterious flash drive that is left in an open public place, like a parking lot or lobby.
Human beings are curious by nature and that curiosity often causes users to take the exact action that perpetrators want.
In a pretexting attack, the perpetrator impersonates someone in power such as a member of the senior management team from the CEO to a finance or IT person.
The victim is led to believe that the person with whom they are dealing has a valid reason (and the authorization) for requesting the information they seek.
Pretexting can happen via email, telephone, or even in person.
Tailgating happens when someone gains access to a restricted area by sneaking in without the knowledge of the person providing access. For example, an employee swipes in with a badge and the perpetrator sneaks in behind them.
These attacks happen in person.
Piggybacking occurs when an authorized person realizes that they’ve let someone in, but assumes they have a legitimate reason for being there.
The perpetrator may say they are there for an interview or to deliver a pizza or for a meeting. They usually can provide enough information to make their presence believable using publicly available information (like names and job titles) available on an organization’s website.
Piggybacking is another in-person social engineering ploy.
Quid Pro Quo
Often classified as a form of baiting, a quid pro quo attack capitalizes on the human need to reciprocate a favor.
Attackers may impersonate someone from an internal or external IT group and promise to provide service (for example a free virus scan) in return for the user’s login credentials or via a clickable link. Even this basic information is enough to provide access so the perpetrator can install malware.
What Is The Impact Of A Social Engineering Attack?
Social engineering exploits human actions to gain access to information. You can have the best technology protections in place, but one human error can put all of your internal and customer data at risk.
The impact of a social engineering attack can include financial costs, damage to your organization’s reputation, and loss of productivity.
6 Ways To Avoid Becoming A Victim Of A Social Attack
1. Verify First
Make it a point to never provide personal or otherwise sensitive information via telephone or email without verifying the identity of the user through another means. Don’t assume that just because someone identifies themselves as Jake from Accounting they really are that person.
Verify with a third-party (separately) that the person and the request are legitimate. Taking this one step can avoid a lot of headaches down the road.
2. Question Unsolicited & Unexpected Offers
Always question unsolicited offers that seem too good to be true; they probably are!
3. Update Software
Software updates provide protection from the latest cybersecurity threats. While no tool provides 100 percent protection, keeping your software current will provide the latest protection available.
4. Implement, Update and Follow Policies & Procedures
Policies and procedures are the best way to achieve consistency throughout your organization. Make sure they are current and reflect the latest threats.
5. Protect Login Information
Believe it or not, login credentials alone can be extremely valuable to hackers. Multi-factor authentication, strong passwords, and password managers provide extra layers of security to protect this information.
And, whatever you do, don’t store login information on a sticky note under your keyboard; that is such a common practice that it is the first place someone with bad intentions will look.
6. Provide Cybersecurity Awareness Training
Employees can be your strongest asset when it comes to cybersecurity, but only if they know what threats exist and how to recognize them.
Regular cybersecurity awareness training for all employees ensures that your employees are up to the job. By knowing the role they play in responding to and reporting suspicious activity, you empower them to rise to the challenge.
Where Do You Go From Here?
After reading this article, you now have a better understanding of what social engineering is and some of the more common forms it takes:
- Quid pro quo
You understand who these attacks can target, what they look like, and how to spot them. You also know 6 ways to avoid becoming a victim.
You have the information you need to take the steps to protect your organization from social engineering attacks. If your organization has the resources you can implement these suggestions. If not, you can partner with an outside IT provider to get what you need.
At Kelser, we provide a comprehensive suite of managed IT solutions designed to ensure that our customers have the resources they need to keep their IT infrastructure safe, available and secure.
We know that managed IT isn’t right for everyone and that’s why we are committed to providing honest, easy-to-understand information you can use to select the IT solutions that will keep your organization’s IT infrastructure and data safe.
Wondering what managed IT is all about, how much it costs, and what it includes? Read this article: How Much Does Managed IT Cost? What’s Usually Included?