How to Identify and Stop Social Engineering Attacks
According to research by Proofpoint, criminals and hackers now rely on social engineering techniques as their primary exploit for bypassing cybersecurity.
Social engineering attacks — at least in an IT context — refer to attempted network intrusions and data thefts that rely on human interaction and deception to succeed rather than coding prowess.
These assaults, much like traditional scams, rely on appealing to the victim’s gullibility, vanity, fear of authority, or greed in order to gather confidential information or access to key systems. And by using the credentials and passwords of the duped target, criminals can more easily bypass existing security protocols.
Do you want to better arm your company against the most commonly used social engineering attack? Read: How to Stop Employees From Falling Victim to Phishing Emails
Common Types of Social Engineering Attacks
Phishing emails, which are disguised as legitimate correspondence, are one of the most common types of social engineering attacks currently employed. The intent of the communication is to encourage the recipient, typically through a sense of urgency, to click on an embedded link that will route the user to an unsecured site intended to either capture user information (e.g., passwords) or download malware.
In a 2016 report, Verizon Enterprise identified that 30 percent of phishing emails were opened by the recipient and that these messages were opened on average within one minute and 40 seconds of receipt. Further, 12 percent of recipients actually clicked on the enclosed link or attachment.
This strategy relies on establishing a false but believable circumstance or “pretext” for contacting your employee. For example, the scammer may pose as a supplier that needs to verify financial routing information over the phone or via email.
Earlier this year, a research firm Uber hired used a pretexting strategy to secure information regarding the opposing counsel and litigant of an impending class-action lawsuit. An employee from the research firm posed as a reporter and called colleagues of both the plaintiff and his lawyer, asking questions intended to elicit background information for the case.
And while the legality of this inquiry is currently under question, criminals will use this tactic without similar consideration.
These attacks offer the victim a potential good or item that encourages them to cooperate. One of your employees may receive a “promotional” USB drive or CD through the mail or find one left in a common area, such as a break room. The item promises something beneficial, either free music or a game, but it is actually loaded with malware.
Quid pro quo
Similar to baiting, these attacks rely on providing the target with a beneficial exchange for access or confidential information. Commonly, the scammer will pose as a member of the company’s IT staff and offer assistance or support over the phone — all they need to “render assistance” is for the employee to provide their login information or download software from the Internet.
Back in 2009, a security consultant reported that using this very strategy as part of a security test, he was able to obtain the usernames and passwords of 85 percent of the 64 employees he contacted.
What Can You Do To Fight Social Engineering Attacks?
You should invest in modern antivirus and antimalware software that will help prevent and manage potential intrusions. Evaluate email filtering software that can identify and remove phishing attacks before they make it to an employee’s inbox.
Social engineering attacks rely on either the naivetÂ€_Ã¥Â© or gullibility of your staff. Provide them with regular security awareness training that outlines common tactics and strategies that criminals will use.
Also, you need to establish clear security policies that outline whom employees may share information with and how that information should be transmitted. Create official channels for security and IT personnel to contact staff and vice versa.
Conduct frequent penetration tests to gauge how well your employees are prepared to handle these various attacks. The success of these tests will not only identify holes in your security policies but can also help to determine which cross-sections of your business may need further education.
Limit information access
Since many social engineering attacks rely on using privileged information to gain further access, limit their supply. Shred company records or any documentation that includes names or employee information. Consider using trash receptacles or dumpsters with locking mechanisms.
Social engineering attacks are but the newest iteration in a long history of confidence schemes, and the surest means of limiting their success is knowledge. By keeping your employees informed, you can prevent these attacks from succeeding against your business.
To learn more about our security awareness courses, you can fill out the form on the right to request a demo.